Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 14 Mar 2012 13:42:23 -0600
From: Kurt Seifried <>
CC: Solar Designer <>,
        "Steven M. Christey" <>
Subject: Re: running the distros lists

> I think that ideally the person would (try to) identify the upstreams,
> downstreams, and other affected projects to contact, ask the reporter
> for approval, upon the approval inform those other projects that there's
> a security issue and ask them if they'd like more info and if they're OK
> with the proposed maximum embargo period (CC'ing the list on those
> preliminary notifications), and if they accept then finally pass the
> actual info on to them (also CC'ing the list) and add them to the CC
> list on further correspondence.

Can we also maintain a public database of upstream contacts? I seem to
remember a few different efforts to do this but can't find anything
current. This would save a ton of time. It would of course have to be
maintained (maybe a scheme like emailing the people listed every few
months and offering a "click here to confirm you're still the security
contact" and a "click here to be removed as the contact" to help keep it
up to date). Also things like PGP keys/etc would be nice to have in
this. It strikes me that this would actually be a valuable project for
Mitre, similar to CPE, maybe the "SCE" ("Security Contact Enumeration")?

As anyone trying to notify multiple upstreams knows, it can be a
horribly painful process.

> Alexander

Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.