mailing list archives
Re: running the distros lists
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 14 Mar 2012 13:42:23 -0600
I think that ideally the person would (try to) identify the upstreams,
downstreams, and other affected projects to contact, ask the reporter
for approval, upon the approval inform those other projects that there's
a security issue and ask them if they'd like more info and if they're OK
with the proposed maximum embargo period (CC'ing the list on those
preliminary notifications), and if they accept then finally pass the
actual info on to them (also CC'ing the list) and add them to the CC
list on further correspondence.
Can we also maintain a public database of upstream contacts? I seem to
remember a few different efforts to do this but can't find anything
current. This would save a ton of time. It would of course have to be
maintained (maybe a scheme like emailing the people listed every few
months and offering a "click here to confirm you're still the security
contact" and a "click here to be removed as the contact" to help keep it
up to date). Also things like PGP keys/etc would be nice to have in
this. It strikes me that this would actually be a valuable project for
Mitre, similar to CPE, maybe the "SCE" ("Security Contact Enumeration")?
As anyone trying to notify multiple upstreams knows, it can be a
horribly painful process.
Kurt Seifried Red Hat Security Response Team (SRT)