Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 16 Jun 2017 02:40:08 +0200
From: Solar Designer <>
To: Qhdwns123 <>
Subject: Re: Do I have to inform someone about CVE?

Hi Qhdwns123,

As a list moderator, this is most likely the very last message I've
accepted from you, until and unless you finally report a security issue
in here.  So maybe now is the time. ;-)

On Thu, Jun 15, 2017 at 08:02:53PM -0400, Qhdwns123 wrote:
> I received a CVE.
> Do I have to inform someone about CVE?

Please inform this very mailing list about actual security issues you
find, whether you have CVE IDs for them or not.  Now that you say you do
have a CVE ID, please include it in your notification indeed.  But not
having a CVE ID was never a reason to delay notifying us of the issue.

Of course, the issue must be in Open Source software.  (If not, then
post it to the full-disclosure mailing list instead.)

Also, let me repeat publicly what I wrote to you off-list last week:

| Your use of the oss-security list is weird:
| You don't appear to be subscribed, yet you ask questions.  Are you
| possibly subscribed via some other address?  If not, you'd only learn of
| possible answers via a web archive of the list, but you would not be
| able to easily reply to the same thread.
| We do not appreciate it when you start new threads for each minor
| re-wording or detail of your question(s) or development in your issue
| reporting.  You have posted several messages on the process already, but
| you're yet to bring a single actual security issue to the list.
| Personally, I would rather see you post the actual security issue(s)
| right to the list, instead of you asking where/how to report them and
| how to obtain CVE IDs.  Who cares about the IDs when there might not be
| an actual issue in the first place?
| Would you please join the list, then participate in discussion(s) that
| might result from your postings?

You're still not subscribed.  Apparently, you tried to, but you never
confirmed the subscription.  Please correct that.



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.