Date: Tue, 15 Mar 2011 16:52:35 -0400 From: Art Manion <amanion@...t.org> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> CC: Andrea Barisani <lcars@...rt.org> Subject: Re: Vendor-sec hosting and future of closed lists On 2011-03-08 14:56, Andrea Barisani wrote: > On Tue, Mar 08, 2011 at 10:59:57AM -0500, Josh Bressers wrote: >> 3) Are we going to annoy other CERTs? Will they even care? > > I don't think this is an issue. We positively worked with other CERTs when that > was applicable anyway. Speaking for CERT/CC, we have no problem with oCERT or anyone else running a private coordination list/function. In fact, we have no illusion of control over such activity. I think some sort of private coordination/embargo period capability is useful, it seems like the vendor-sec model worked reasonably well for the constituency -- low overhead, some leaking, but on the balance fairly effective during its lifespan. My observation is that CERT/CC's process is probably too much overhead for typical open source vulnerabilities, although we'll still be involved in some cases that cross multiple open/closed/commercial/non-commercial vendors. CERT/CC could also possibly host a "vendor-sec replacement" mailing list, however we'd have to consider (as already noted in this thread) how to vet members, encryption (or not), overhead, etc. I'd think this capability would be better provided by oCERT or Openwall or someone closer to the community. - Art
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.