[Techtalk] Handling security issues when you are upstream
Elwing
elwing at elwing.org
Sat Oct 8 12:01:46 EST 2005
Actually - someone's already thought about it :)
http://www.oisafety.org/guidelines/secresp.html
These are the informally adopted guidelines for vulnerability
researchers and vendors Granted, it's slanted towards vulnerability
researchers, but it has both.
Elwing
On Oct 7, 2005, at 9:56 PM, Mary wrote:
> Hi everyone,
>
> Anyone know of the current correct procedure for notifying vendors
> of a
> security hole and a fix when you *are* upstream for the fix? I know
> from
> blogs that vendors, particularly Linux distros, got Very Very Angry
> with
> Mozilla recently for not helping them coordinate a release of fixed
> packages at the same time as mozilla.org itself had a fixed version.
>
> It seems the correct thing to do is:
>
> 1. file the incident with a vulnerability database and get a tracking
> number
>
> 2. fix the bug
>
> 3. tell a lot of vendors about the fix
>
> 4. wait for the vendors to apply the fix and decide when to release
> fixed packages
>
> 5. put out a public announcement of the bug on the same day as the
> vendors do
>
> So far so good. But I can't for the life of me find a document that
> answers any of these questions:
>
> 1. which database do you report to? where are the forms for upstreams
> to use (most of the forms seem to be for third parties, they
> have a lot
> of questions about "when did you notify upstream and what did
> they say?"
>
> 2. is there any central place to report to vendors or do you have to
> personally visit the bug tracker of every one of the possibly
> hundreds
> of distros (Linux and other) releasing packages and wait for them
> all to reply etc etc?
>
> 3. how do all the vendors get back in touch with you? how long is it
> right to delay the announcement for while Joe Bob's Linux is
> trying to
> do a new package?
>
> 4. where do you send public announcements of bugs?
>
> -Mary
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.org
> http://linuxchix.org/cgi-bin/mailman/listinfo/techtalk
>
More information about the Techtalk
mailing list