[Techtalk] Handling security issues when you are upstream
Mary
mary-linuxchix at puzzling.org
Sat Oct 8 11:56:21 EST 2005
Hi everyone,
Anyone know of the current correct procedure for notifying vendors of a
security hole and a fix when you *are* upstream for the fix? I know from
blogs that vendors, particularly Linux distros, got Very Very Angry with
Mozilla recently for not helping them coordinate a release of fixed
packages at the same time as mozilla.org itself had a fixed version.
It seems the correct thing to do is:
1. file the incident with a vulnerability database and get a tracking
number
2. fix the bug
3. tell a lot of vendors about the fix
4. wait for the vendors to apply the fix and decide when to release
fixed packages
5. put out a public announcement of the bug on the same day as the
vendors do
So far so good. But I can't for the life of me find a document that
answers any of these questions:
1. which database do you report to? where are the forms for upstreams
to use (most of the forms seem to be for third parties, they have a lot
of questions about "when did you notify upstream and what did they say?"
2. is there any central place to report to vendors or do you have to
personally visit the bug tracker of every one of the possibly hundreds
of distros (Linux and other) releasing packages and wait for them
all to reply etc etc?
3. how do all the vendors get back in touch with you? how long is it
right to delay the announcement for while Joe Bob's Linux is trying to
do a new package?
4. where do you send public announcements of bugs?
-Mary
More information about the Techtalk
mailing list