User: Password:
|
|
Subscribe / Log in / New account

The future of vendor-sec

The future of vendor-sec

Posted Mar 11, 2011 4:24 UTC (Fri) by BenHutchings (subscriber, #37955)
Parent article: The future of vendor-sec

I was never a subscriber to vendor-sec, but I am a trusted associate of someone who was and I did get information on some embargoed issues. Who knows how many such people there are beyond the 80-100 subscribers?

My position: I really hate secrecy around security issues. When I'm backporting a patch for a public issue, I often look up the CVE on cve.mitre.org and find that there is still no information there, because it was embargoed previously. If I'm dealing with an embargoed issue, I have to avoid commiting any fixes to a public VCS. And if the date is pushed out for the convenience of one distributor or another, the information is quite likely to leak to the blackhats via one route or another (even if they haven't owned the list server). Not to mention government agencies that play on both sides of the security game.


(Log in to post comments)

The future of vendor-sec

Posted Mar 17, 2011 14:28 UTC (Thu) by eteo (guest, #36711) [Link]

Ben, for public issues, you will find our bug reports useful. You can access them via https://bugzilla.redhat.com/CVE-20YY-NNNN. Thanks.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds