oss-sec mailing list archives
Re: linux-distros list policy and Linux kernel
From: Jeremy Stanley <fungi () yuggoth org>
Date: Tue, 17 May 2022 12:52:34 +0000
Another potential nail in the coffin for embargoed disclosure lists such as linux-distros and distros, as well as the idea of embargoed disclosure in general, is recent changes in export controls, most recently by the USA's Commerce Dept. While there seem to be exceptions called out for "cybersecurity response" and "vulnerability disclosure" in 86-FR-58205 (Information Security Controls: Cybersecurity Items), I've been in a number of semi-hushed conversations with vulnerability managers of other large free/libre open source projects over worries that the provisions for this are still too vague. In particular, I've heard concerns raised by developers living in the USA that privately supplying vulnerability fix patches or information on exploiting privately identified vulnerabilities to individuals in "restricted" countries could be a contravention of federal export control policy, and that determining whether every individual in receipt of this information is not a resident of a "restricted" country is unfeasible enough to make a switch to full-disclosure models increasingly attractive for these projects. Unfortunately, the regulations are also new enough that getting a clear risk assessment on these matters from legal counsel available to community-run projects and non-profit foundations is... challenging. Further, I've had some vulnerability manager colleagues instructed by their employers to cease participation in any embargo processes for related "corporate liability" reasons. -- Jeremy Stanley
Attachment:
signature.asc
Description:
Current thread:
- linux-distros list policy and Linux kernel Solar Designer (May 15)
- Re: linux-distros list policy and Linux kernel Igor Seletskiy (May 15)
- Re: linux-distros list policy and Linux kernel Anthony Liguori (May 15)
- Re: linux-distros list policy and Linux kernel Jason A. Donenfeld (May 16)
- Re: linux-distros list policy and Linux kernel Thadeu Lima de Souza Cascardo (May 16)
- Re: linux-distros list policy and Linux kernel Greg KH (May 16)
- Re: linux-distros list policy and Linux kernel Seth Arnold (May 16)
- Re: linux-distros list policy and Linux kernel Greg KH (May 16)
- Re: linux-distros list policy and Linux kernel Jason A. Donenfeld (May 17)
- Re: linux-distros list policy and Linux kernel Greg KH (May 17)
- Re: linux-distros list policy and Linux kernel Jeremy Stanley (May 17)
- Re: linux-distros list policy and Linux kernel Thadeu Lima de Souza Cascardo (May 17)
- Re: linux-distros list policy and Linux kernel Thadeu Lima de Souza Cascardo (May 16)
- Re: linux-distros list policy and Linux kernel Vegard Nossum (May 20)
- Re: linux-distros list policy and Linux kernel Solar Designer (May 22)
- Re: linux-distros list policy and Linux kernel Sam James (May 22)
- Re: linux-distros list policy and Linux kernel Greg KH (May 22)
- Re: linux-distros list policy and Linux kernel eduardo vela (May 23)
- Re: linux-distros list policy and Linux kernel Mickaël Salaün (May 24)
- Re: linux-distros list policy and Linux kernel Greg KH (May 24)