Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 17 May 2022 12:52:34 +0000
From: Jeremy Stanley <fungi@...goth.org>
To: oss-security@...ts.openwall.com
Subject: Re: linux-distros list policy and Linux kernel

Another potential nail in the coffin for embargoed disclosure lists
such as linux-distros and distros, as well as the idea of embargoed
disclosure in general, is recent changes in export controls, most
recently by the USA's Commerce Dept. While there seem to be
exceptions called out for "cybersecurity response" and
"vulnerability disclosure" in 86-FR-58205 (Information Security
Controls: Cybersecurity Items), I've been in a number of semi-hushed
conversations with vulnerability managers of other large free/libre
open source projects over worries that the provisions for this are
still too vague.

In particular, I've heard concerns raised by developers living in
the USA that privately supplying vulnerability fix patches or
information on exploiting privately identified vulnerabilities to
individuals in "restricted" countries could be a contravention of
federal export control policy, and that determining whether every
individual in receipt of this information is not a resident of a
"restricted" country is unfeasible enough to make a switch to
full-disclosure models increasingly attractive for these projects.

Unfortunately, the regulations are also new enough that getting a
clear risk assessment on these matters from legal counsel available
to community-run projects and non-profit foundations is...
challenging. Further, I've had some vulnerability manager colleagues
instructed by their employers to cease participation in any embargo
processes for related "corporate liability" reasons.
-- 
Jeremy Stanley

Download attachment "signature.asc" of type "application/pgp-signature" (964 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.