Bringing the threads together on the public list so we can (hopefully) quickly discuss.
As I understand it now, the OpenOffice.org currently directs visitors to report vulnerability reports to [email protected]. This address is currently being monitored. And at Apache we ask vulnerabilities to be reported to [email protected], after which they are forwarded to the particular project's private email list where such matters can be analyzed in confidence, avoiding premature disclosure. Since the OpenOffice project is in the process of migrating to Apache, a process which will take several months, it is important that relevant information be shared, rapidly, confidentially and reliably. I'd like to propose something simple, namely that relevant information received by Apache should be quickly forwarded to [email protected], and that relevant information received by [email protected] should be quickly forwarded to [email protected]. Also, if [email protected] has a list of other security contacts with whom they routinely share pre-public disclosure security information, we'd appreciate having that list, sent to our private list: [email protected]. Regards, -Rob
