This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Community feedback on EU-FOSSA2 program.


* Carlos O'Donell:

> I'm looking to get community feedback regarding glibc's involvement with
> this program, and the extent to which we should be involved.

We already are.  We do not have a say in this matter; the program has
already started.  Since you (as stewards) sat on this for several weeks
after the initial contact from Intigriti last year, we will never know
if we had any chance in negotiating something else.

> The stewards are already discussing this with RMS as part of a GNU position
> on the matter, and we met privately with Intigriti last week to understand
> what role we have in this program. We had many suggestions to improve the
> text of the agreement for perspective bug hunters (like needing copyright
> assignment to contribute the fix that gives you a +20% bounty bonus), but
> we need community input to decide which steps to take next.

As an outcome of this meeting, I added post-exploitation countermeasures
to:

  <https://sourceware.org/glibc/wiki/Security%20Exceptions>

I do *not* plan to participate on the Intigriti platform and review
issues before they are passed on to distribution security teams, under
our documented security process:

  <https://sourceware.org/glibc/wiki/Security Process>

I will contact the distribution security teams later today and notify
that they might get reports via the Intigriti platform.

Thanks,
Florian


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]