Operating system distribution security contact lists

As an experiment, two mailing lists were setup with membership limited to operating system distribution security contacts. New subscription requests are discussed in public on oss-security. Currently we're only subscribing individuals with their personal PGP keys (messages are re-encrypted to individual recipients), not exploders.

Please only use these lists to report and discuss security issues that are not yet public (but that are to be made public very soon - please see below). For security issues that are already public or that are to be made public right away, please post to oss-security instead.

Operating system distribution security contacts list

Currently on the distros list are representatives from:

  • All Linux distribution vendors who are also on the linux-distros list below
  • FreeBSD
  • NetBSD/pkgsrc

Linux distribution security contacts list

Currently on the linux-distros list are representatives from:

  • ALT Linux
  • Android
  • Arch Linux
  • Chrome OS
  • Debian
  • Gentoo
  • Mandriva
  • MontaVista Software
  • Openwall
  • Oracle
  • Red Hat
  • Slackware
  • SUSE
  • Ubuntu
  • Wind River

How to use the lists

To report a non-public medium severity 1) security issue to one of these lists, send e-mail to distros [at] vs [dot] openwall [dot] org or linux [dash] distros [at] vs [dot] openwall [dot] org (just one of these lists depending on who you want to inform), preferably PGP-encrypted to the key below (yes, same key for both lists). Be sure to include [vs] (four characters) in the Subject line, or your message will most likely 2) be rejected by the mail server (for anti-spam reasons). If you do not hear back within 48 hours, please send another message to inquire whether your initial message has in fact been received.

Speaking of encryption, the supported message formats are: plain unencrypted messages, PGP/MIME (including with attachments), or inline PGP. (In all of these cases, messages are distributed to list members (re-)encrypted to their own keys - except that headers, including From and Subject, are not encrypted, so you may want to avoid including security sensitive information in the Subject.) However, manual PGP-encrypted attachments are not supported (so if you want to attach file(s) to your encrypted message, use PGP/MIME).

Please note that the maximum acceptable embargo period for issues disclosed to these lists is 14 to 19 days, with embargoes longer than 14 days (up to 19) allowed in case the issue is reported on a Thursday or a Friday and the proposed coordinated disclosure date is thus adjusted to fall on a Monday or a Tuesday. Please do not ask for a longer embargo. In fact, embargo periods shorter than 7 days are preferable. Please notify upstream projects/developers of the affected software, other affected distro vendors, and/or affected Open Source projects before notifying one of these mailing lists in order to ensure that these other parties are OK with the maximum embargo period that would apply (and if not, then you may have to delay your notification to the mailing list), unless you're confident you'd choose to ignore their preference anyway and disclose the issue publicly soon as per the policy stated here.

When the security issue is finally to be made public, it is your (the original reporter's) responsibility to post about it to oss-security (indeed, you and others may also post to any other mailing lists, etc.)

Please note that any/all list postings may be made public once the corresponding security issue is publicly disclosed, so please do not post information that you want to stay private forever. 3)

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.10 (GNU/Linux)

mQENBE2YijgBCADJ7gsXv583bcxm7D4gGCjqUuNv+qLj6fgB+/QNFOM0z3OB2YNj
3oaBRSR5DKhDRvHmNRbXTvNO7OjzPojMmkDlq2UgcmGHIrYraw9q/e1Hpom4dF+O
1dIMwyOZ1WARtlR5znd3hwkGrGiFnkLqDJDLKXUn/rSbRTFhay1zv1dAknR4/+zJ
74YBhZo95zVYA7piF0VmDvXDK+9R3bQM0SgoThyfdiQQMpoFd48y0jFtcbrQlVgU
7M5l/6JKTqANqxG3Qeilavqg9jG1AQyrGJCoCI6ItgDk1AyHB8hLHN6QVQl9XPpC
Uo5oXYpzPcMpdKzhnMD6/AzF+z6UEHmcmArtABEBAAG0PkxpbnV4IGRpc3RybyBz
ZWN1cml0eSBjb250YWN0cyA8bGludXgtZGlzdHJvc0B2cy5vcGVud2FsbC5vcmc+
iQE4BBMBAgAiBQJNmIo4AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDW
zkyuR+r385KNB/0RyvjAjy6Zz2+UDq4JzR8aAt0DAScycD/1jWMBzwncBrkoXG0v
yJ+m5AFtXcHRKGYgfZ8Aothpe5vi/fnQnuAzz2RyGDw15/7wyXWsA3rbWELCxx13
iLfFrFAXboM7FlGCCdALosEaJBM2gAuCNouxraFWXVOKXUPyJ1Kpry9AIffQJWD3
2Zzn2xsPbd02Fa6nLUWf+g3608RzqUv0TZmaFu4cFjGZkrx+RejUaSchPaf9Mqal
PlIQSMBsYgZlKYVcIXGXlSA3iXhFzcLgzlwcL6MMtK+iK7UJBXMCmw1GjrTsUcY0
qeJFZzJ43wf/AoamAHKmOQIqxxIfebJX/98riEYEEBECAAYFAk2YuO4ACgkQovwC
fFs0HxW8yQCfTFiGhEsDJyPRAXmBXMWEDxYq4gwAoICEzh0+CHUWazrIcHh4D7wl
zYwltENPcGVyYXRpbmcgc3lzdGVtIGRpc3RybyBzZWN1cml0eSBjb250YWN0cyA8
ZGlzdHJvc0B2cy5vcGVud2FsbC5vcmc+iQE4BBMBAgAiBQJO4YbYAhsDBgsJCAcD
AgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDWzkyuR+r38xHJB/9paDZv6RWnGFcCv7bO
dvvBborWfyEjDW0kHHnevN1BLNaVq9RPRhSIbvVd3JGEkYi+C0HIUZAK0NNs8Yjh
CPQKKE2FIVLsO7wTt+FWOpKvQZWuNbPW3vvJ8x82NkmUGjMPP0JDRV+N/SB37JDc
ndjz+19SI228lxqlazS8OqbrZOeSeawKafcGVFv3CTbR2lj+1mHo6DyUbZeXf7Cq
K5wfZYhxlNtrh8gAS3vCizoIhuRzxdCF6nxobcjCYoXbtJpx30J7bUHAp6Rc5vr1
hdZDS+LxJ704x9cmEof9DgWQ4QbVb54R8xAbRpU3RFZ0veZcPu4P6mpI2ba6bP9f
6mSsuQENBE2YijgBCACkA8GQr4IYbrPU5qDsTLvlL3YU8Bekg1HlhKOC+gr8/PqI
09fQMaWBM9n79/ss4ZaS3IAX/S0HZtfpmfNc36FMTlpJRnbY1tF3NqjeIHJUGaf+
0jXTInRdOxq0U0jHqW/GLr6rNjxLFhhtFI7Y622vPf03cvZYd/pBjyYlZCHAxeRC
0OqfXLUiNLr2L0LptUO8RsWUhZJtEW65fjn0heka/eh/P+IINQrA5ranVohv6tST
ucL8blHr91AfiNw9oI0VYI8jvkVQx+cjgJeTYlOegqzZ3Vq+une21nkLd9nbuauJ
Q7lodfhzH6yUrTQjwUpxi/udXNFFIJFuM6IAAGkfABEBAAGJAR8EGAECAAkFAk2Y
ijgCGwwACgkQ1s5Mrkfq9/O7fgf/WYnIqcEQivO9SB90O1jplJP55HZoIUwf4Rrp
Y9Nbz3nG2qXo1b68kw/O/zggU90K3oJ+yzsyETLAOH5+nrOPBxjrGIYbVsEMt+Vf
W+7WahYvh30IJWLMy3Xv3v7uzHzP5T81FnwJyja85Y56rLyaYhk9E3KYcJ1phaYW
oFDQuioFUFDi6TV5WK13B5d/InTy/4uQDzOWPE0Ev8RTZex7hDx+SxwASszQnghn
ovWWEa96Gh5fpdoyWpBE9Na/9Hz2y8RO+Okctct4xdZZFYcEg4wpnFigCBFIq+jx
K4LI8Y1o8SiVLMztF+knDaZxohs+7BWYGzsWvsYOGqTMkBM5IQ==
=E3Xb
-----END PGP PUBLIC KEY BLOCK-----
1) Medium overall severity as estimated by risk probability and risk impact product. It is recommended that low severity security issues be reported to the public oss-security list right away, whereas high severity ones be reported to the affected vendors directly.
2) We're using a whitelist approach
3) There was/is intent to be making all list postings public with a delay, which is currently not yet implemented for technical reasons, but it may be implemented and applied retroactively - that is, including to past postings.
mailing-lists/distros.txt · Last modified: 2013/04/21 15:35 by solar
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate to DokuWiki Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki Powered by OpenVZ Powered by Openwall GNU/*/Linux Bookmark and Share