Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 14 Mar 2012 13:42:23 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Solar Designer <solar@...nwall.com>,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: running the distros lists

> I think that ideally the person would (try to) identify the upstreams,
> downstreams, and other affected projects to contact, ask the reporter
> for approval, upon the approval inform those other projects that there's
> a security issue and ask them if they'd like more info and if they're OK
> with the proposed maximum embargo period (CC'ing the list on those
> preliminary notifications), and if they accept then finally pass the
> actual info on to them (also CC'ing the list) and add them to the CC
> list on further correspondence.

Can we also maintain a public database of upstream contacts? I seem to
remember a few different efforts to do this but can't find anything
current. This would save a ton of time. It would of course have to be
maintained (maybe a scheme like emailing the people listed every few
months and offering a "click here to confirm you're still the security
contact" and a "click here to be removed as the contact" to help keep it
up to date). Also things like PGP keys/etc would be nice to have in
this. It strikes me that this would actually be a valuable project for
Mitre, similar to CPE, maybe the "SCE" ("Security Contact Enumeration")?

As anyone trying to notify multiple upstreams knows, it can be a
horribly painful process.

> Alexander

-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.