On Wed, Jul 6, 2011 at 18:35, Dennis E. Hamilton <[email protected]> wrote: > Well, vulnerabilities are vulnerabilities and if there is an exposure in > current code or in documents produced in current code, isn't that a concern > for us now? Why would it not be? > > Also, I don't presume that everyone is downstream from us (as opposed to the > OpenOffice.org that once was). > > I think of LibreOffice as a mutual stakeholder because it seems they have a > security team too and like it or not, they are cranking out releases very > quickly and may be able to provide mitigations, hypothetically, months before > we ever get a release of ours out the door.
We can get guidance from the Apache Security Team on this. I suspect they would concur: work with the development/security teams of people development forks of OOo. Downstream users would presumably get a standard pre-notification email. >... > I don't know about the details of having that work. I do know if I uncover a > problem, I am going to communicate it to every security-conscious entity I > can. The best answer is to ask Security for advice here. There is an industry-standard approach to this kind of notification. > To make this conversation concrete: I have security issues I want to raise, > which is what had me looking into this in the first place. I would like to > do this in a manner that is in keeping with concerns for dealing with > security matters privately to ensure that there is competent review and no > danger attached to premature disclosure. (I suspect not, because the > vulnerabilities I am aware of exist in plain sight, but I want the counsel of > someone having more security experience than I before saying, "Heck, I need > something for today's blog post, why not stir things up with this?") Start with [email protected], and go from there. Cheers, -g
