[Techtalk] Handling security issues when you are upstream
Mary
mary-linuxchix at puzzling.org
Sat Oct 8 12:16:07 EST 2005
On Fri, Oct 07, 2005, Elwing wrote:
> Actually - someone's already thought about it :)
>
> http://www.oisafety.org/guidelines/secresp.html
>
> These are the informally adopted guidelines for vulnerability
> researchers and vendors Granted, it's slanted towards vulnerability
> researchers, but it has both.
This doesn't answer a lot of my questions though. For example, it says
that "If the Vendor or Finder finds that the Potential Flaw affects
multiple vendors’ products, it shall take at least one of the following
actions: exercise reasonable efforts to notify each Vendor; contact
an organization responsible for coordinating the efforts of the affected
Vendors, if one exists."
For any project that is volunteer run and which is likely to be
distributed in many many Linux distros, this is something like, I would
guess, 200 odd hours of work (there are *hundreds* of distros), or about
6 months worth if the project has no full-time employees. So I'd really
like a guide that's more focussed towards "you're a small Free Software
project which is volunteer run and would like to help vendors" rather
than "you are a vendor with immense resources". I'd also like specific
details as to where advisories are meant to be sent, rather than vague
guidelines about "the general public" and "users". Are you meant to mail
bugtraq, CERT, OSVDB...? Who? What do people actually do? I have no
idea.
-Mary
More information about the Techtalk
mailing list