[Techtalk] Handling security issues when you are upstream

Elwing elwing at elwing.org
Sat Oct 8 12:01:46 EST 2005 

Actually - someone's already thought about it :)

http://www.oisafety.org/guidelines/secresp.html

These are the informally adopted guidelines for vulnerability  
researchers and vendors  Granted, it's slanted towards vulnerability  
researchers, but it has both.

Elwing


On Oct 7, 2005, at 9:56 PM, Mary wrote:

> Hi everyone,
>
> Anyone know of the current correct procedure for notifying vendors  
> of a
> security hole and a fix when you *are* upstream for the fix? I know  
> from
> blogs that vendors, particularly Linux distros, got Very Very Angry  
> with
> Mozilla recently for not helping them coordinate a release of fixed
> packages at the same time as mozilla.org itself had a fixed version.
>
> It seems the correct thing to do is:
>
>  1. file the incident with a vulnerability database and get a tracking
>     number
>
>  2. fix the bug
>
>  3. tell a lot of vendors about the fix
>
>  4. wait for the vendors to apply the fix and decide when to release
>     fixed packages
>
>  5. put out a public announcement of the bug on the same day as the
>     vendors do
>
> So far so good. But I can't for the life of me find a document that
> answers any of these questions:
>
>  1. which database do you report to? where are the forms for upstreams
>     to use (most of the forms seem to be for third parties, they  
> have a lot
>     of questions about "when did you notify upstream and what did  
> they say?"
>
>  2. is there any central place to report to vendors or do you have to
>     personally visit the bug tracker of every one of the possibly  
> hundreds
>     of distros (Linux and other) releasing packages and wait for them
>     all to reply etc etc?
>
>  3. how do all the vendors get back in touch with you? how long is it
>     right to delay the announcement for while Joe Bob's Linux is  
> trying to
>     do a new package?
>
>  4. where do you send public announcements of bugs?
>
> -Mary
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.org
> http://linuxchix.org/cgi-bin/mailman/listinfo/techtalk
>

More information about the Techtalk mailing list