Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 22 May 2017 22:28:04 -0400
From: "Perry E. Metzger" <perry@...rmont.com>
To: Kurt Seifried <kseifried@...hat.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: How to request a CVE for open source projects

On Mon, 22 May 2017 20:04:41 -0600 Kurt Seifried
<kseifried@...hat.com> wrote:
> > Primarily, freeform discussion of the sort that occurred on this
> > list as a natural outcropping of the CVE request process led to
> > people linking to verification code, temporary mitigations,
> > highlighting of incomplete fixes, and the sort of information
> > that was requested earlier in this thread.  This ability to
> > easily chip in to ongoing situations wasn't just useful for mitre
> > staff doing CVE work, it was also useful for the "community of
> > practice" looking for the latest information regarding
> > self-defense.  I've prevented more than one attack thanks to a
> > one-off reply from someone in response to a CVE request.    
> 
> You can still do this. oss-security is a list run by Solar Designer
> (openwall.com). I happen to be a long time poster/moderator, but I
> have no official control/etc (I don't even block posts, that's up
> to solar, I just allow stuff or ignore it when it's up for
> moderation).

Maybe after CVEs are assigned the forms could be emailed to the list
as a replacement for the old request emails, to kick off
discussion and alert people to their existence?

Perry
-- 
Perry E. Metzger		perry@...rmont.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.