Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 28 Aug 2023 18:53:50 +0000
From: Jeremy Stanley <fungi@...goth.org>
To: oss-security@...ts.openwall.com
Subject: Re: linux-distros list policy and Linux kernel, again

On 2023-08-28 20:05:18 +0200 (+0200), Solar Designer wrote:
[...]
> So the real problem may be that (linux-)distros is misunderstood
> as permanently-private rather than temporarily-private.
> Unfortunately, I don't know how to address that reliably.  Even
> with automated delayed publication, some people would initially
> have the wrong idea... maybe unless they have to pass through a
> web page with the public archives before finding the posting
> address?
[...]

I know a defect tracker is (perhaps a lot) different from a mailing
list, but on one of the larger projects where I act as a
vulnerability coordinator we have a policy which includes a maximum
embargo duration. The project uses defect trackers which have the
ability to switch reports between public and private visibility, and
on intake of any initially private report a vulnerability
coordinator calculates the date of the embargo expiration and
notifies everyone involved in that discussion what that date is (in
our case by prepending a disclaimer to the report description which
also includes policy items like reminders not to redistribute while
the embargo is in effect). Our instructions on how to report
suspected vulnerabilities also mention this policy.

While we've occasionally had to redact some report content in cases
where users unwittingly attached sensitive data, I don't think we've
encountered a case of reporters being surprised that the content of
their reports will eventually be exposed to the public. Before
putting a limit on how long reports could remain private, we had
cases of some reports sitting unfixed or even uninvestigated and
effectively ignored by developers of the affected subsystems for
years. We determined, as a project, that it was better to have a
forcing action so that the community would at least be aware of
potential defects, and could perhaps even assist in making progress
on some of them where the usual maintainers lacked time or interest
in doing so.

Maybe another significant difference is that our embargoes have an
expiration 6.5x longer than that of the linux-distros ML, and we
have (on rare occasion) granted extensions of up to a week or two in
cases where there was active work underway but thorough testing and
vetting required a little additional time. To your point though, our
vulnerability coordinators are generally the ones to notify the
linux-distros ML of upcoming publications, and our documented
process includes a reminder not to notify that list until just prior
to a scheduled disclosure (generally no more than 5 business days in
advance), in order to comply with the list's policy.
-- 
Jeremy Stanley

Download attachment "signature.asc" of type "application/pgp-signature" (964 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.