[Techtalk] Handling security issues when you are upstream

Sat Oct 8 11:56:21 EST 2005

Hi everyone,

Anyone know of the current correct procedure for notifying vendors of a
security hole and a fix when you *are* upstream for the fix? I know from
blogs that vendors, particularly Linux distros, got Very Very Angry with
Mozilla recently for not helping them coordinate a release of fixed
packages at the same time as mozilla.org itself had a fixed version.

It seems the correct thing to do is:

 1. file the incident with a vulnerability database and get a tracking
    number

 2. fix the bug

 3. tell a lot of vendors about the fix

 4. wait for the vendors to apply the fix and decide when to release
    fixed packages

 5. put out a public announcement of the bug on the same day as the
    vendors do

So far so good. But I can't for the life of me find a document that
answers any of these questions:

 1. which database do you report to? where are the forms for upstreams
    to use (most of the forms seem to be for third parties, they have a lot
    of questions about "when did you notify upstream and what did they say?"

 2. is there any central place to report to vendors or do you have to
    personally visit the bug tracker of every one of the possibly hundreds
    of distros (Linux and other) releasing packages and wait for them
    all to reply etc etc?

 3. how do all the vendors get back in touch with you? how long is it
    right to delay the announcement for while Joe Bob's Linux is trying to
    do a new package?

 4. where do you send public announcements of bugs?

-Mary