Date: Fri, 20 Mar 2015 16:55:54 +0100 From: Marcus Meissner <meissner@...e.de> To: oss-security@...ts.openwall.com Subject: Re: membership request to the closed linux-distros security mailing list On Fri, Mar 20, 2015 at 08:54:29AM -0700, Anthony Liguori wrote: > On Fri, Mar 20, 2015 at 8:50 AM, Stuart Henderson <stu@...cehopper.org> wrote: > > On 2015/03/20 08:16, Anthony Liguori wrote: > >> > >> I think the alternative is to formalize what already appears to be the > >> existing practice: disclose distros@ on the existence of a > >> vulnerability but require direct contact for the details of the > >> vulnerability if the submitter/upstream thinks the impact is high. > > > > Are private lists even needed if this policy is taken? > > I think there's a lot of value in being able to just send a low-medium > impact issue to a single list of groups that have gone through some > level of vetting without needing to respond directly to individuals > and making value judgements. > > I also think it's helpful to have a single point of contact so that an > upstream isn't dealing with 10 different people from a single > organization asking for details. Why not just publishing a low - medium impact vulnerability directly? Embargoe handling alwas also has some overhead , which is not necessary in such cases. Ciao, Marcus
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ