1 |
Hi Kurt, |
2 |
|
3 |
On Tue, 2004-05-18 at 23:20, Kurt Lieber wrote: |
4 |
> On Tue, May 18, 2004 at 11:07:22PM +0200 or thereabouts, Tobias Weisserth wrote: |
5 |
> > "Confidential vulnerabilities |
6 |
> > |
7 |
> > Confidential vulnerabilities (for example coming from developer's direct |
8 |
> > communication or restricted vendor-sec lists) should follow a specific |
9 |
> > procedure. They should not appear as a public bugzilla entry, but only |
10 |
> > in the (private) GLSAMaker tool. They should get corrected using private |
11 |
> > communication channels between the GLSA coordinator and the package |
12 |
> > maintainer." |
13 |
> > |
14 |
> > What's this about? I can't imagine what a "confidential vulnerability" |
15 |
> > might be. This immediately prompts for "security by obscurity" remark, |
16 |
> > don't you think? |
17 |
> |
18 |
> It means that if a vendor contacts us to notify us of a security |
19 |
> vulnerability in their product, but asks us to keep it confidential until a |
20 |
> pre-defined release date, we will respect their wishes and treat the bug as |
21 |
> confidential. |
22 |
|
23 |
Ah, OK. I think this explanation deserves to be in the document. :-) |
24 |
|
25 |
regards, |
26 |
Tobias |
27 |
|
28 |
|
29 |
-- |
30 |
gentoo-security@g.o mailing list |