Hi Rob, all,
On 07.07.11 15:48, Rob Weir wrote:
Bringing the threads together on the public list so we can (hopefully)
quickly discuss.
As I understand it now, the OpenOffice.org currently directs visitors
to report vulnerability reports to [email protected]. This
address is currently being monitored.
Yes.
And at Apache we ask vulnerabilities to be reported to
[email protected], after which they are forwarded to the particular
project's private email list where such matters can be analyzed in
confidence, avoiding premature disclosure.
Okay, understood.
Since the OpenOffice project is in the process of migrating to Apache,
a process which will take several months, it is important that
relevant information be shared, rapidly, confidentially and reliably.
Indeed.
I'd like to propose something simple, namely that relevant information
received by Apache should be quickly forwarded to
[email protected], and that relevant information received by
[email protected] should be quickly forwarded to
[email protected].
Okay, sounds reasonable to me.
Also, if [email protected] has a list of other security
contacts with whom they routinely share pre-public disclosure security
information, we'd appreciate having that list, sent to our private
list: [email protected].
Well, as I said previously, all upstream projects, or distributions are
(supposed to be) subscribed to [email protected], so there was
no need for yet another private list (securityteam@ is already private).
Regards,
-Rob
Hope that helps,
Matthias Huetsch
Oracle Office Security Lead, OpenOffice.org Security Team
