Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 25 May 2017 21:37:44 +0200
From: Solar Designer <>
Subject: independent volunteers on distros list


On the old vendor-sec list (1998(?) - 2011), there were not only distro
vendors, but also individual volunteers (in fact, I was originally
invited in that capacity, prior to Openwall having a Linux distro) and
some major upstream projects (X.Org, Samba).  When vendor-sec ceased to
exist, I setup the (linux-)distros list(s), intentionally calling them
such to more clearly draw the line on who's to be accepted and to avoid
slippery slope.

While I'm still of the opinion that non-distro upstream projects should
not be on those lists (instead, they are being CC'ed when needed), nor
subject matter experts with certain domain-specific knowledge (ditto),
I'd like to change my mind regarding the non-distro volunteers (aka
security researchers) with broad expertise and a track record of
evaluating vulnerabilities and fixes and finding more issues in those.
I am referring e.g. to the aftermath of Shellshock public disclosure.
Rather than have this happen post-disclosure, we can take the slightly
higher risk of leaks (from having just a few more people subscribed, and
perhaps people who are better equipped to deal with confidential
information than most distros' representatives are) and have better
understanding and fixes pre-disclosure.

I am convinced there are ways to avoid the slippery slope should the
issue arise.  There are few people out there who are at the same time
capable (broad expertise and a track record of finding more issues in
the fixes), willing, and available to volunteer, and who someone already
subscribed would vouch for and no one would object against.  Perhaps
fewer such people than we have distros.  For now these are the criteria,
but if necessary there are other potential policies we could introduce.

Unlike people subscribed for distros (whose primary reason to be
subscribed is that they make use of the info to prepare fixes for their
distro), the non-distro volunteers must be active and helpful in
discussions as a condition for their continued subscription.  (Indeed,
being active and helpful is encouraged for the distro subscribers as
well, but it isn't a strict requirement as long as the distro is making
good use of the info to prepare fixes.)

The volunteer subscriptions will be of them as individuals, unrelated
to their employment (if any), and they would be expected not to share
the information with their employer(s), nor with anyone else, unless
explicitly permitted.  The employer(s)' vulnerability disclosure
policies, if any, would not apply.  If this is inconsistent with a
given researcher's employment, that researcher should not accept to be

Specifically, at this time I am going to subscribe Tavis Ormandy, who
happens to have been on vendor-sec.  I've already discussed this with
him, and he agreed.

I first brought this to distros list itself yesterday (after some
private discussions with some individual distros, both recently and way
earlier), and received no objections.  Some of the subscribed distros'
representatives spoke in favor of this change (some on the list, some
privately to me) and some also made comments (in particular, that we
should emphasize that "the volunteer subscriptions will be of them as
individuals, unrelated to their employment ...", which I did above).

I'd appreciate any further comments that the broader community might
have, but for now it's a decision made and I'll proceed.



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.