Date: Tue, 17 May 2022 12:52:34 +0000 From: Jeremy Stanley <fungi@...goth.org> To: oss-security@...ts.openwall.com Subject: Re: linux-distros list policy and Linux kernel Another potential nail in the coffin for embargoed disclosure lists such as linux-distros and distros, as well as the idea of embargoed disclosure in general, is recent changes in export controls, most recently by the USA's Commerce Dept. While there seem to be exceptions called out for "cybersecurity response" and "vulnerability disclosure" in 86-FR-58205 (Information Security Controls: Cybersecurity Items), I've been in a number of semi-hushed conversations with vulnerability managers of other large free/libre open source projects over worries that the provisions for this are still too vague. In particular, I've heard concerns raised by developers living in the USA that privately supplying vulnerability fix patches or information on exploiting privately identified vulnerabilities to individuals in "restricted" countries could be a contravention of federal export control policy, and that determining whether every individual in receipt of this information is not a resident of a "restricted" country is unfeasible enough to make a switch to full-disclosure models increasingly attractive for these projects. Unfortunately, the regulations are also new enough that getting a clear risk assessment on these matters from legal counsel available to community-run projects and non-profit foundations is... challenging. Further, I've had some vulnerability manager colleagues instructed by their employers to cease participation in any embargo processes for related "corporate liability" reasons. -- Jeremy Stanley Download attachment "signature.asc" of type "application/pgp-signature" (964 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.