Re: Vendor-sec hosting and future of closed lists

["Mike O'Connor" <mjo () dojo mi org>]

[catching up on old email]

:> > As suggested by Josh Bressers oCERT would be favourable to providing a
:> > system that would accept user submission and allow selection of security
:> > contacts from our existing member database as well as other verified
:> > contacts.

...

:It all depends on how this process is going to be handled. I can see oCERT
:helping in routing reports to the proper contacts via email to our trusted
:member contacts as well as external ones that we can seek on a report basis.

What I've observed is that some times, the reporter or coordinator
doesn't have a good idea of the scope of their issue.  To cite some
real-world examples involving folks who I thought would know better:

  1) no, BSD networking isn't just in Free/Net/OpenBSD 
  2) no, ONC RPC just isn't in Sun products
  3) no, a RH-specific kernel issue is a general Linux kernel issue

Scoping issues isn't always easy.  How do you know whether I backported
some bleeding-edge fix with broken security implications into one of the
OSes I care about last week?  Sometimes, I'll need specific info just to
confirm that I don't care about the issue.  Scoping is one of the things
that vendor-sec was occasionally quite helpful with.  

-- 
 Michael J. O'Connor                                          mjo () dojo mi org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"I'd be terrific!  Colossal!  Stupendous!  Mediocre even!"        -Babs Bunny