This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Policy for posting security bug reports?

From: Florian Weimer <fw at deneb dot enyo dot de>
To: Paul Eggert <eggert at cs dot ucla dot edu>
Cc: Petr Baudis <pasky at ucw dot cz>, Rich Felker <dalias at aerifal dot cx>, libc-alpha at sourceware dot org
Date: Mon, 25 Jun 2012 19:25:51 +0200
Subject: Re: Policy for posting security bug reports?
References: <20120623010836.GA2651@brightrain.aerifal.cx><20120623135551.GF24309@machine.or.cz> <4FE5EEE6.1040700@cs.ucla.edu>

* Paul Eggert:

> People are also welcome to report bugs via more-formal
> approaches, e.g., the U.S. Computer Emergency Readiness Team
> <http://www.kb.cert.org/vuls/html/report-a-vulnerability/>.
> There is a formal channel between US-CERT and the GNU C
> library developers.  It used to see some activity, but
> the hotline hasn't rung for quite some time, presumably
> since nothing has been important enough.

Please note that notifying CERT/CC does not always ensure that
affected distributions are notified.  So you'd have to do that anyway,
just to be on the safe side.

Alternatively, you could ask any of the distributions with a security
team for assistance, and they will make sure that other distributions
are informed, assign a CVE name, negotiate a coordinated disclosure
date, help with testing, etc.

Follow-Ups:
- Re: Policy for posting security bug reports?
  - From: Carlos O'Donell

References:
- Policy for posting security bug reports?
  - From: Rich Felker
- Re: Policy for posting security bug reports?
  - From: Petr Baudis
- Re: Policy for posting security bug reports?
  - From: Paul Eggert

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]