Date: Fri, 15 Sep 2017 12:28:11 +0000 From: Ben Seri <ben@...is.com> To: Solar Designer <solar@...nwall.com>, oss-security@...ts.openwall.com Subject: Re: Linux BlueBorne vulnerabilities Hi Alexander, Our thought is that since these issues affect multi vendors that are using Linux, the longer the embargo period, the better chance there is a coordinated patch goes out to as many users as possible once the embargo is lifted. Armis Labs On Fri, Sep 15, 2017 at 12:26 AM Solar Designer <solar@...nwall.com> wrote: > On Thu, Sep 14, 2017 at 08:14:03PM +0000, Armis Security wrote: > > On August 15th we have contacted one of the senior maintiners of BlueZ > and > > attempted to establish a longer embargo period with him. Unfortunatelly > his > > suggestion was to post our findings to linux-bluetooth@...r.kernel.org, > > which is a public mailing list. > > While I understand you not wanting to post to a public mailing list > right away, why exactly would you have wanted a longer embargo than e.g. > linux-distros' maximum of 14 days? > > > So we decided to disclose our findings to the secure mailing list that > > unfortunatelly only have a maximum of 7 days embargo periods. > > You're probably referring to the Linux kernel security list. 7 days > sounds like a reasonable embargo period to me, but if you really wanted > more, you could get up to 14 by first contacting linux-distros only, and > then bringing the issue to the Linux kernel security list in no more > than 7 days to the planned public disclosure. > > > I am happy to hear the red hat security team allows for longer embargo > > periods, and we will contact you directly in the future. > > I hope you will only go for a longer embargo when there's actually a > good reason for that. There might or might not have been in this case. > > Alexander >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ