Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 20 Mar 2015 16:55:54 +0100
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: membership request to the closed linux-distros
 security mailing list

On Fri, Mar 20, 2015 at 08:54:29AM -0700, Anthony Liguori wrote:
> On Fri, Mar 20, 2015 at 8:50 AM, Stuart Henderson <stu@...cehopper.org> wrote:
> > On 2015/03/20 08:16, Anthony Liguori wrote:
> >>
> >> I think the alternative is to formalize what already appears to be the
> >> existing practice: disclose distros@ on the existence of a
> >> vulnerability but require direct contact for the details of the
> >> vulnerability if the submitter/upstream thinks the impact is high.
> >
> > Are private lists even needed if this policy is taken?
> 
> I think there's a lot of value in being able to just send a low-medium
> impact issue to a single list of groups that have gone through some
> level of vetting without needing to respond directly to individuals
> and making value judgements.
> 
> I also think it's helpful to have a single point of contact so that an
> upstream isn't dealing with 10 different people from a single
> organization asking for details.

Why not just publishing a low - medium impact vulnerability directly?

Embargoe handling alwas also has some overhead , which is not necessary in such cases.

Ciao, Marcus

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ