oss-sec mailing list archives
RE: Vendor-sec hosting and future of closed lists
From: "Menkhus, Mark (GSE Security HP SSRT)" <mark.menkhus () hp com>
Date: Wed, 16 Mar 2011 04:07:15 +0000
Mike has an interesting idea, of opening the archives after a period of time. The embargoes in vendor-sec were typically weeks, but I don't recall the longest one. I too favor opening the vendor-sec archives after a while, maybe quarterly. Not being the one fixing the code for our kernel left me with little to immediately contribute, but I requested and coordinated with several folks who got vendor sec for HP. Likely, we would still want to be part of vendor-sec.new. Most importantly, we would be glad to restate our need to continue to participate based on the new ground rules of whomever administers the new vendor-sec. FWIW, I understand our largely silent participation in vendor-sec was annoying to folks looking at code, assessing risk, and suggesting fixes. If there is something we could contribute, I'll encourage us not to be as shy. -Mark Menkhus Hewlett Packard Software Security Response Team
-----Original Message----- From: Mike O'Connor [mailto:mjo () dojo mi org] Sent: Monday, March 14, 2011 9:01 PM To: oss-security () lists openwall com Subject: Re: [oss-security] Vendor-sec hosting and future of closed lists [catching up on older emails] :> > They do this already today, that's what security () kernel org is for, and :> > it gets a bit of traffic like this every week. :> :> Is this list open to the public? It doesn't seem to be available on :> http://vger.kernel.org/vger-lists.html. : :No, it is closed, as it should be as potential security problems are :mailed there. You don't want that to be totally open, right? One suggestion I've made in the past is to have the list _archives_ be open. So anything older than, say, a month is made public. That way, folks can see how issues were disclosed, how decisions were reached, etc. for old issues that are no longer under embargo. The way I see it, if we don't publish the list archive on our own terms, miscreants will get around to publishing it for us. -- Michael J. O'Connor mjo () dojo mi org =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==- -==--= "Why make trillions when we could make... billions?" - Dr. Evil
Attachment:
smime.p7s
Description:
Current thread:
- Re: Vendor-sec hosting and future of closed lists, (continued)
- Re: Vendor-sec hosting and future of closed lists Greg KH (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Dan Rosenberg (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Greg KH (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Dan Rosenberg (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Greg KH (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Michael Gilbert (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Greg KH (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Mike O'Connor (Mar 14)
- Re: Vendor-sec hosting and future of closed lists Eugene Teo (Mar 15)
- Re: Vendor-sec hosting and future of closed lists Mike O'Connor (Mar 15)
- RE: Vendor-sec hosting and future of closed lists Menkhus, Mark (GSE Security HP SSRT) (Mar 15)
- Re: Vendor-sec hosting and future of closed lists Eugene Teo (Mar 15)
- RE: Vendor-sec hosting and future of closed lists Menkhus, Mark (GSE Security HP SSRT) (Mar 16)
- Re: Vendor-sec hosting and future of closed lists Eugene Teo (Mar 16)
- RE: Vendor-sec hosting and future of closed lists Mark J Cox (Mar 16)
- Re: Vendor-sec hosting and future of closed lists Mike O'Connor (Mar 16)
- Re: Vendor-sec hosting and future of closed lists Dan Rosenberg (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Greg KH (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Mark J Cox (Mar 04)
- Re: Vendor-sec hosting and future of closed lists David Hicks (Mar 04)
- Re: Vendor-sec hosting and future of closed lists Nelson Elhage (Mar 04)