Gentoo Archives: gentoo-security

From: Tobias Weisserth <tobias@×××××××××.de>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Gentoo Linux Vulnerability Treatment Policy
Date: Tue, 18 May 2004 21:25:59
Message-Id: 1084915533.14281.20.camel@coruscant.weisserth.net
In Reply to: Re: [gentoo-security] Gentoo Linux Vulnerability Treatment Policy by Kurt Lieber
1 Hi Kurt,
2
3 On Tue, 2004-05-18 at 23:20, Kurt Lieber wrote:
4 > On Tue, May 18, 2004 at 11:07:22PM +0200 or thereabouts, Tobias Weisserth wrote:
5 > > "Confidential vulnerabilities
6 > >
7 > > Confidential vulnerabilities (for example coming from developer's direct
8 > > communication or restricted vendor-sec lists) should follow a specific
9 > > procedure. They should not appear as a public bugzilla entry, but only
10 > > in the (private) GLSAMaker tool. They should get corrected using private
11 > > communication channels between the GLSA coordinator and the package
12 > > maintainer."
13 > >
14 > > What's this about? I can't imagine what a "confidential vulnerability"
15 > > might be. This immediately prompts for "security by obscurity" remark,
16 > > don't you think?
17 >
18 > It means that if a vendor contacts us to notify us of a security
19 > vulnerability in their product, but asks us to keep it confidential until a
20 > pre-defined release date, we will respect their wishes and treat the bug as
21 > confidential.
22
23 Ah, OK. I think this explanation deserves to be in the document. :-)
24
25 regards,
26 Tobias
27
28
29 --
30 gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] Gentoo Linux Vulnerability Treatment Policy Ard Righ <ardrigh@××××××××××××.nz>