Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 4 Mar 2011 08:08:03 +0000 (GMT)
From: Mark J Cox <mjc@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Vendor-sec hosting and future of closed lists

> This certainly underscores that very few flaws need vendor-sec
> coordination, but I would suspect that out of those roughly 725 flaws,
> many of the really critical ones came through vendor-sec.

Actually, not so much.  Of the flaws we rated impact critical or with a 
CVSS of 'high', only 4 were from that 29 from vendor-sec.

> I'm also curious what "issues already public but found out about it on
> vendor-sec" means?

It's where the date the issue was public is the same date it was reported 
to vendor-sec.  This can be because it was brought to the wrong list, the 
embargo was a day or less, or less often vendors wanted to discuss 
something about it confidentially (a way to exploit it, etc)

Mark

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.