Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 15 Sep 2017 12:28:11 +0000
From: Ben Seri <ben@...is.com>
To: Solar Designer <solar@...nwall.com>, oss-security@...ts.openwall.com
Subject: Re: Linux BlueBorne vulnerabilities

Hi Alexander,

Our thought is that since these issues affect multi vendors that are using
Linux, the longer the embargo period, the better chance there is a
coordinated patch goes out to as many users as possible once the embargo is
lifted.

Armis Labs

On Fri, Sep 15, 2017 at 12:26 AM Solar Designer <solar@...nwall.com> wrote:

> On Thu, Sep 14, 2017 at 08:14:03PM +0000, Armis Security wrote:
> > On August 15th we have contacted one of the senior maintiners of BlueZ
> and
> > attempted to establish a longer embargo period with him. Unfortunatelly
> his
> > suggestion was to post our findings to linux-bluetooth@...r.kernel.org,
> > which is a public mailing list.
>
> While I understand you not wanting to post to a public mailing list
> right away, why exactly would you have wanted a longer embargo than e.g.
> linux-distros' maximum of 14 days?
>
> > So we decided to disclose our findings to the secure mailing list that
> > unfortunatelly only have a maximum of 7 days embargo periods.
>
> You're probably referring to the Linux kernel security list.  7 days
> sounds like a reasonable embargo period to me, but if you really wanted
> more, you could get up to 14 by first contacting linux-distros only, and
> then bringing the issue to the Linux kernel security list in no more
> than 7 days to the planned public disclosure.
>
> > I am happy to hear the red hat security team allows for longer embargo
> > periods, and we will contact you directly in the future.
>
> I hope you will only go for a longer embargo when there's actually a
> good reason for that.  There might or might not have been in this case.
>
> Alexander
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ