This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Policy for posting security bug reports?

On 6/25/2012 1:25 PM, Florian Weimer wrote:
> * Paul Eggert:
> 
>> People are also welcome to report bugs via more-formal
>> approaches, e.g., the U.S. Computer Emergency Readiness Team
>> <http://www.kb.cert.org/vuls/html/report-a-vulnerability/>.
>> There is a formal channel between US-CERT and the GNU C
>> library developers.  It used to see some activity, but
>> the hotline hasn't rung for quite some time, presumably
>> since nothing has been important enough.
> 
> Please note that notifying CERT/CC does not always ensure that
> affected distributions are notified.  So you'd have to do that anyway,
> just to be on the safe side.
> 
> Alternatively, you could ask any of the distributions with a security
> team for assistance, and they will make sure that other distributions
> are informed, assign a CVE name, negotiate a coordinated disclosure
> date, help with testing, etc.
> 

I would expect that if you fill in the Vendor information in the
CERT vulnerability submission form that the vendor would be contacted.

I would also expect CERT to take reasonable steps to contact the
security teams for all distributions to ensure that they are 
informed of the vulnerability.

I could be wrong though since I have no experience working with
CERT or any distribution security teams.

Could the distribution maintainers comment here?

Cheers,
Carlos.
-- 
Carlos O'Donell
Mentor Graphics / CodeSourcery
carlos_odonell@mentor.com
carlos@codesourcery.com
+1 (613) 963 1026
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]