Date: Wed, 14 Mar 2012 13:42:23 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Solar Designer <solar@...nwall.com>, "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: running the distros lists > I think that ideally the person would (try to) identify the upstreams, > downstreams, and other affected projects to contact, ask the reporter > for approval, upon the approval inform those other projects that there's > a security issue and ask them if they'd like more info and if they're OK > with the proposed maximum embargo period (CC'ing the list on those > preliminary notifications), and if they accept then finally pass the > actual info on to them (also CC'ing the list) and add them to the CC > list on further correspondence. Can we also maintain a public database of upstream contacts? I seem to remember a few different efforts to do this but can't find anything current. This would save a ton of time. It would of course have to be maintained (maybe a scheme like emailing the people listed every few months and offering a "click here to confirm you're still the security contact" and a "click here to be removed as the contact" to help keep it up to date). Also things like PGP keys/etc would be nice to have in this. It strikes me that this would actually be a valuable project for Mitre, similar to CPE, maybe the "SCE" ("Security Contact Enumeration")? As anyone trying to notify multiple upstreams knows, it can be a horribly painful process. > Alexander -- Kurt Seifried Red Hat Security Response Team (SRT)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.