Re: thoughts on kernel security issues

From: Alan Cox
Date: Thu Jan 13 2005 - 12:00:36 EST


> Vendors should also cc: the kernel-security list/contact at the same
> time they would normally contact vendor-sec. I don't see a problem with
> that happening, and would help out the people on vendor-sec from having
> to wade through a lot of linux kernel specific stuff at times.

vendor-sec has no control over dates or who else gets to know. We can
ask people to also notify others, we can suggest dates to people but
that is all. So if you think 7 days is sensible when reporting a hole
specify you will be making it public in 7 days.

If vendor-sec ignores a request for example that the bug doesn't go
public until date X then we just don't get told in future and we get
more 0 day crap

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/