Re: Proper procedure for reporting possible securityvulnerabilities?

From: Alan Cox
Date: Mon Jan 10 2005 - 21:50:37 EST

Next message: Richard Purdie: "Re: Flaw in ide_unregister()"
Previous message: Jeremy Fitzhardinge: "Re: 2.6.10-mm2: panic when munmap()ping the stack"
In reply to: Alan Cox: "Re: Proper procedure for reporting possible securityvulnerabilities?"
Next in thread: Florian Weimer: "Re: Proper procedure for reporting possible security vulnerabilities?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Llu, 2005-01-10 at 16:46, Steve Bergman wrote:
> So what is the preferred procedure and is it documented somewhere?
> Should it be made more prominent?

Good question. The preferred procedure depends on your viewpoint on
disclosure

vendor-sec@xxxxxx is a cross vendor security list and a good place for
stuff. It will deal with both public and date embargoed security
information. security@[your-vendor] should work for most responsible
vendors and may be more appropriate if it involves a vendor kernel that
may have bugs not in the base tree.

For stuff in -bk kernel snapshots and the like that isn't in the
production kernels then I'd start by mailing Linus/(Andrew for -mm) or
the list.

Alan

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Richard Purdie: "Re: Flaw in ide_unregister()"
Previous message: Jeremy Fitzhardinge: "Re: 2.6.10-mm2: panic when munmap()ping the stack"
In reply to: Alan Cox: "Re: Proper procedure for reporting possible securityvulnerabilities?"
Next in thread: Florian Weimer: "Re: Proper procedure for reporting possible security vulnerabilities?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]