This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: Policy for posting security bug reports?
On 6/25/2012 1:25 PM, Florian Weimer wrote:
> * Paul Eggert:
>
>> People are also welcome to report bugs via more-formal
>> approaches, e.g., the U.S. Computer Emergency Readiness Team
>> <http://www.kb.cert.org/vuls/html/report-a-vulnerability/>.
>> There is a formal channel between US-CERT and the GNU C
>> library developers. It used to see some activity, but
>> the hotline hasn't rung for quite some time, presumably
>> since nothing has been important enough.
>
> Please note that notifying CERT/CC does not always ensure that
> affected distributions are notified. So you'd have to do that anyway,
> just to be on the safe side.
>
> Alternatively, you could ask any of the distributions with a security
> team for assistance, and they will make sure that other distributions
> are informed, assign a CVE name, negotiate a coordinated disclosure
> date, help with testing, etc.
>
I would expect that if you fill in the Vendor information in the
CERT vulnerability submission form that the vendor would be contacted.
I would also expect CERT to take reasonable steps to contact the
security teams for all distributions to ensure that they are
informed of the vulnerability.
I could be wrong though since I have no experience working with
CERT or any distribution security teams.
Could the distribution maintainers comment here?
Cheers,
Carlos.
--
Carlos O'Donell
Mentor Graphics / CodeSourcery
carlos_odonell@mentor.com
carlos@codesourcery.com
+1 (613) 963 1026