-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/07/2011 14:48, Rob Weir wrote: > Bringing the threads together on the public list so we can (hopefully) > quickly discuss. > > As I understand it now, the OpenOffice.org currently directs visitors > to report vulnerability reports to [email protected]. This > address is currently being monitored. > > And at Apache we ask vulnerabilities to be reported to > [email protected], after which they are forwarded to the particular > project's private email list where such matters can be analyzed in > confidence, avoiding premature disclosure. > > Since the OpenOffice project is in the process of migrating to Apache, > a process which will take several months, it is important that > relevant information be shared, rapidly, confidentially and reliably. > > I'd like to propose something simple, namely that relevant information > received by Apache should be quickly forwarded to > [email protected], and that relevant information received by > [email protected] should be quickly forwarded to > [email protected]. > > Also, if [email protected] has a list of other security > contacts with whom they routinely share pre-public disclosure security > information, we'd appreciate having that list, sent to our private > list: [email protected].
Access to [email protected] is too open for security issues. [email protected] needs to be set up with access limited to a small, trusted set of individuals. The current subscribers to [email protected] would be a good place to start. Mark -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOFbvUAAoJEBDAHFovYFnncOkQAKI0X+YXdKQDbD517K8dR0xQ ELifc7I61qvDvjglcLTocXQDXxuh3lE+TdneB2lgaAvndbVws7lNFdR9hBc3IJZM GwfUOG5SVHhojkABDlG6XNvLB30lKlqYze13clkMC3WVi4wBVcG3UJErd9ojP7ed AccNdZuODNj2kEKYNlN8i9/6xhFVKj2t+gTj9q3RBwjNJCwkphCOvtg9w2Mx5MSc FiI08cJuk6pcXkcnohV1XaXeuDGIw9FC08n5wh/lET3YJ1/PMXox++QR8y/PNWYv U3ee7XK8d61gzrzu5pEZSm+NWqtpJ6O1+OxkCdrhwdR6UaXtnWBvbhzyJSNH7b5u njrql7iojbiFBLhAjLXzzIP71wp2AzaANHBqUbGWdL0kkcV88gSp4BvOsIT5mA58 tgoxJKLmJRPucZbJczDH/TNbdDXu2msUuRHixHH7PFh00702YNUTfXcsxt4Tlu2Y hDGVuzzVfHOodY5LsQdycVY4NEwBj05QDhFaR9CP0d8N9nem+Evy5U9VpktNScmx D1lJfkLW5Ap9yi/wj8w7+tknTmkVUCW7HfyUtsx3mr7Z1gjQX1tjB56T9NiCsfVD DeXihrsGSkgXQxjkIJIzHf3UZCdNjY/et1H1GhH8IscVzaEMJZ4BDZrpjLH5QeOf z+MOHSxIYeXY8tJDTNVo =ZagC -----END PGP SIGNATURE-----
