Re: Proper procedure for reporting possible security vulnerabilities?

[Chris Wright]

* Jesper Juhl (juhl-lkml@xxxxxx) wrote:
> On Mon, 10 Jan 2005, Steve Bergman wrote:
> > Actually I am having a discussion with a Pax Team member about how the recent
> > exploits discovered by the grsecurity guys should have been handled.  They
> > clam that they sent email to Linus and Andrew and did not receive a response
> > for 3 weeks, and that is why they released exploit code into the wild.
> > 
> > Anyone here have any comments on what I should tell him?
> > 
> I don't know what other people would do or what the general feeling on 
> the list is, but personally I'd send such reports to the maintainer and 
> CC lkml, if there is no maintainer I'd just send to lkml.

Problem is, the rest of the world uses a security contact for reporting
security sensitive bugs to project maintainers and coordinating
disclosures.  I think it would be good for the kernel to do that as well.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/