Re: Policy for posting security bug reports?

[Russ Allbery <rra at stanford dot edu>]

Carlos O'Donell <carlos_odonell@mentor.com> writes:

> (b) Where possible the policy should use already established official
> channels for security issue reporting. For example reporting the issue
> with CERT is IMO the best way forward.  The GNU Libc project and the
> distributions can have liaisons with CERT, and receive early warnings
> from them in private.

I would recommend having a security bug reporting channel specific to GNU
libc and not ask everyone with a possible security bug to report it to
CERT.  For one, CERT may not be particularly quick, and for another,
you're often going to need to triage these bugs with domain expertise.  A
lot of things that people think are security bugs actually aren't, and
you'll want to make a quick judgement about severity.  This is much easier
if the person is talking with you directly.

CERT is good for publicizing security vulnerabilities once they've been
patched, but they're not as good as an initial reporting mechanism.

Having a few maintainers who have widely-available GnuPG keys in the
well-connected web of trust and who are willing to get private email about
issues and do something appropriate with them would probably be
sufficient.

> * Contact the distribution contact listed on the MAINTAINERS
>   page for every distribution affected by the issue.

A lot of packages that deal with a lot of security issues have a private
mailing list that's used by the maintainers to reach all of those people
at once.  (Some of them even do it via GnuPG-encrypted mail.)  I don't
know if GNU libc has enough security bug reports to warrant doing
something like that.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>