oss-sec mailing list archives
Re: Vendor-sec hosting and future of closed lists
From: Art Manion <amanion () cert org>
Date: Tue, 15 Mar 2011 16:52:35 -0400
On 2011-03-08 14:56, Andrea Barisani wrote:
On Tue, Mar 08, 2011 at 10:59:57AM -0500, Josh Bressers wrote:3) Are we going to annoy other CERTs? Will they even care?I don't think this is an issue. We positively worked with other CERTs when that was applicable anyway.
Speaking for CERT/CC, we have no problem with oCERT or anyone else running a private coordination list/function. In fact, we have no illusion of control over such activity. I think some sort of private coordination/embargo period capability is useful, it seems like the vendor-sec model worked reasonably well for the constituency -- low overhead, some leaking, but on the balance fairly effective during its lifespan. My observation is that CERT/CC's process is probably too much overhead for typical open source vulnerabilities, although we'll still be involved in some cases that cross multiple open/closed/commercial/non-commercial vendors. CERT/CC could also possibly host a "vendor-sec replacement" mailing list, however we'd have to consider (as already noted in this thread) how to vet members, encryption (or not), overhead, etc. I'd think this capability would be better provided by oCERT or Openwall or someone closer to the community. - Art
Current thread:
- Re: Vendor-sec hosting and future of closed lists, (continued)
- Re: Vendor-sec hosting and future of closed lists S.P.Zeidler (Mar 06)
- Re: Vendor-sec hosting and future of closed lists Matthieu Herrb (Mar 06)
- Re: Vendor-sec hosting and future of closed lists Eugene Teo (Mar 06)
- Re: Vendor-sec hosting and future of closed lists Andrea Barisani (Mar 07)
- Re: Vendor-sec hosting and future of closed lists Josh Bressers (Mar 08)
- Vendor-sec hosting and future of closed lists R P Herrold (Mar 08)
- Re: Vendor-sec hosting and future of closed lists akuster (Mar 08)
- Re: Vendor-sec hosting and future of closed lists Andrea Barisani (Mar 08)
- Re: Vendor-sec hosting and future of closed lists Mike O'Connor (Mar 14)
- Re: Vendor-sec hosting and future of closed lists Andrea Barisani (Mar 16)
- Re: Vendor-sec hosting and future of closed lists Art Manion (Mar 15)