Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 22 May 2017 22:28:04 -0400
From: "Perry E. Metzger" <perry@...rmont.com>
To: Kurt Seifried <kseifried@...hat.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: How to request a CVE for open source projects

On Mon, 22 May 2017 20:04:41 -0600 Kurt Seifried
<kseifried@...hat.com> wrote:
> > Primarily, freeform discussion of the sort that occurred on this
> > list as a natural outcropping of the CVE request process led to
> > people linking to verification code, temporary mitigations,
> > highlighting of incomplete fixes, and the sort of information
> > that was requested earlier in this thread.  This ability to
> > easily chip in to ongoing situations wasn't just useful for mitre
> > staff doing CVE work, it was also useful for the "community of
> > practice" looking for the latest information regarding
> > self-defense.  I've prevented more than one attack thanks to a
> > one-off reply from someone in response to a CVE request.    
> 
> You can still do this. oss-security is a list run by Solar Designer
> (openwall.com). I happen to be a long time poster/moderator, but I
> have no official control/etc (I don't even block posts, that's up
> to solar, I just allow stuff or ignore it when it's up for
> moderation).

Maybe after CVEs are assigned the forms could be emailed to the list
as a replacement for the old request emails, to kick off
discussion and alert people to their existence?

Perry
-- 
Perry E. Metzger		perry@...rmont.com

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ