Re: Proposal: Add separate oss-security-vulnerability-reports mailing list (for AI vulnpocalypse)

[3v <ventic () 3v fi>]

> From a lurker's perspective, the current mix has been completely fine
and I find some value in seeing what threads remain in discussion for
longer, even if I'm mainly on the list to keep an eye on new
vulnerabilities. Marking as read and ignoring specific threads is
simple enough.

-WV
---
3v.fi


On Tue, Jun 16, 2026 at 5:45 PM Prentice Bisbal <prentice () ucar edu> wrote:
> On 6/15/26 1:56 PM, Alan Coopersmith wrote:
> > On 6/8/26 16:46, David A. Wheeler wrote:
> > > All: I propose that we create a *separate* mailing list, say
> > > "oss-security-vulnerability-reports", for run-of-the-mill
> > > vulnerability reports
> > > about open source software (OSS). Run-of-the-mill reports would then
> > > go there
> > > and *not* to this mailing list "oss-security". This would leave
> > > *this* oss-security" mailing list
> > > for general discussions about the topic of OSS security, including
> > > discussions about
> > > specific publicly known vulnerabilities that are especially
> > > noteworthy in some way.
> > > Tools that want the full flood could monitor
> > > "oss-security-vulnerability-reports".
> >
> > If it comes to the point we have to split the lists, I think it would
> > be easier
> > to create a oss-security-discuss for the discussions than to get
> > dozens of
> > projects to update their security advisory release process to send their
> > advisories to a new list, or to rely on the projects to determine
> > which are
> > newsworthy enough to go to the main list vs. your proposed new
> > ...-vulnerability-reports list.
>
> I second this.