Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 15 Mar 2011 16:52:35 -0400
From: Art Manion <>
To: "" <>
CC: Andrea Barisani <>
Subject: Re: Vendor-sec hosting and future of closed lists

On 2011-03-08 14:56, Andrea Barisani wrote:
> On Tue, Mar 08, 2011 at 10:59:57AM -0500, Josh Bressers wrote:
>> 3) Are we going to annoy other CERTs? Will they even care?
> I don't think this is an issue. We positively worked with other CERTs when that
> was applicable anyway.

Speaking for CERT/CC, we have no problem with oCERT or anyone else
running a private coordination list/function.  In fact, we have no
illusion of control over such activity.

I think some sort of private coordination/embargo period capability is
useful, it seems like the vendor-sec model worked reasonably well for
the constituency -- low overhead, some leaking, but on the balance
fairly effective during its lifespan.  My observation is that CERT/CC's
process is probably too much overhead for typical open source
vulnerabilities, although we'll still be involved in some cases that
cross multiple open/closed/commercial/non-commercial vendors.

CERT/CC could also possibly host a "vendor-sec replacement" mailing
list, however we'd have to consider (as already noted in this thread)
how to vet members, encryption (or not), overhead, etc.  I'd think this
capability would be better provided by oCERT or Openwall or someone
closer to the community.

 - Art

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.