Date: Wed, 4 Jun 2014 10:54:32 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: Operating system distribution security contact lists Hi Lisa, On Tue, Jun 03, 2014 at 09:13:41AM -0600, Lisa Bradley wrote: > I would like to request membership to the closed "Operating system > distribution security contact lists" mailing list on behalf of the IBM > Product Security Incident Response Team (PSIRT). I am part of the PSIRT > team where I help manage the receipt, investigation and internal > coordination of security vulnerability information related to IBM > offerings. You can read more about PSIRT here: > http://www-03.ibm.com/security/secure-engineering/process.html. I am the > main coordinator of Open Source vulnerabilities that affect IBM products. > We have products that utilize Open Source software, so being part of this > list will be beneficial. I do not plan on posting any IBM product specific > issues as we do that through Security Bulletins (see > http://www-03.ibm.com/security/secure-engineering/bulletins.html). > > You can verify that I am part of the PSIRT team by emailing PSIRT directly > at IBM PSIRT<slash>Somers<slash>IBM or psirt<at>us<dot>ibm<dot>com. Thank you for bringing this to oss-security. Besides the above, if this community says that IBM should be on the distros list, we'll need someone already active on oss-security to vouch for you - or I think it could be Troy Bollinger, who was active on Bugtraq. Per LinkedIn, he left IBM when you were already at IBM (for some years), so possibly he could vouch for you? Your LinkedIn profile, if I found the right one, does not mention security, though, so I don't know if you were in contact with Troy back then or not. Would it be reasonable to include IBM security advisory/contact details on our wiki? http://oss-security.openwall.org/wiki/vendors If there are specific OSS products with their own advisory/contact details (different from IBM PSIRT's catch-all), they may be added to: http://oss-security.openwall.org/wiki/software (Yes, this is the same suggestion I just made to VMware.) Anyone can register for an account and edit the wiki, so please do if you find this desirable. What do others in this community think? To remind, on vendor-sec we had representatives from Apple and SGI. We "lost" them when, after vendor-sec ceased to exist, I setup only a linux-distros list initially. At a later time, we also got the distros list, to which Apple and SGI would probably be welcome again - but that issue was not brought up again at that time. Both the Apple folks and the vendor-sec member from SGI were helpful to the rest of the community on vendor-sec, so it was not one-way communication. IIRC, Red Hat folks actually said that I was wrong in limiting the initial membership to Linux distros only, leaving Apple out despite of their valuable contributions to vendor-sec and them having some Open Source products (they're upstream for CUPS, etc.) Perhaps we should have explicitly invited Apple and SGI folks to join distros when that list was finally setup. Perhaps it's not too late to do that now. I'd appreciate comments from the community. I have no strong feelings for, nor against, expanding the distros list membership to include (mostly/partially) closed-source vendors. As yet another option, if the community wants that, I may setup an open-distros list that would include Linux and Open Source *BSDs (initially just the current members of distros), but not the (mostly/partially) closed-source vendors (who would be on distros only). That way, any folks who are possibly uncomfortable about notifying closed-source vendors would have the option to still use our PGP re-encrypting setup to notify just the Open Source distro vendors. Or maybe I am imagining that a significant number of people reporting vulnerabilities would be uncomfortable providing advance notification to closed-source vendors? Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ