Operating system distribution security contact lists

Two mailing lists were setup with operating system distribution security contacts. New subscription requests are discussed in public on oss-security. Currently we're only subscribing individuals with their personal PGP keys (messages are re-encrypted to individual recipients), not exploders.

Please only use these lists to report and discuss security issues that are not yet public (but that are to be made public very soon - please see below). For security issues that are already public or that are to be made public right away, please post to oss-security instead (and it's literally “instead”, not “as well”, since all of the distros in here are supposed to monitor oss-security closely as well). In either case, we're only interested in issues affecting Open Source software.

It is intended that these lists be used primarily to provide actionable information to multiple distribution vendors at once. While you may at the same time request and obtain a CVE ID (to be assigned by one of the CNAs present on these lists) for the issue you report, and that's great, please avoid using these lists if your sole purpose of their use is to obtain a CVE ID (e.g., when the affected software isn't something any of the distributions currently ship, or when they are unlikely to benefit from the advance notice). In those “CVE only” cases, please start by posting about the (to be made) public issue to oss-security (without a CVE ID), request a CVE ID from MITRE directly, and finally “reply” to your own posting when you also have the CVE ID to add. With the described approach you would only approach MITRE after the issue is already public, but if you choose to do things differently and contact MITRE about an issue that is not yet public, then please do not disclose to them more than the absolute minimum needed for them to assign a CVE ID.

Operating system distribution security contacts list

Currently on the distros list are representatives from:

  • All who are also on the linux-distros list below
  • FreeBSD
  • NetBSD/pkgsrc

Linux distribution security contacts list

Currently on the linux-distros list are representatives from:

  • ALT Linux
  • Amazon Linux AMI
  • Arch Linux
  • Chrome OS
  • Debian
  • Gentoo
  • Openwall
  • Oracle
  • Red Hat
  • Slackware
  • SUSE
  • Ubuntu
  • Wind River

and independent volunteers.

How to use the lists

To report a non-public medium severity 1) security issue to one of these lists, send e-mail to distros [at] vs [dot] openwall [dot] org or linux [dash] distros [at] vs [dot] openwall [dot] org (just one of these lists depending on who you want to inform), preferably PGP-encrypted to the key below (yes, same key for both lists). Be sure to include [vs] (four characters) in the Subject line, or your message will most likely 2) be rejected by the mail server (for anti-spam reasons). In your message, please propose a (tentative) public disclosure date/time for the issue. 3) If you do not hear back within 48 hours, please send another message to inquire whether your initial message has in fact been received.

Speaking of encryption, the supported message formats are: plain unencrypted messages, PGP/MIME (including with attachments), or inline PGP. (In all of these cases, messages are distributed to list members (re-)encrypted to their own keys - except that headers, including From and Subject, are not encrypted, so you may want to avoid including security sensitive information in the Subject.) However, manual PGP-encrypted attachments are not supported (so if you want to attach file(s) to your encrypted message, use PGP/MIME).

Please note that the maximum acceptable embargo period for issues disclosed to these lists is 14 days. Please do not ask for a longer embargo. In fact, embargo periods shorter than 7 days are preferable. Please notify upstream projects/developers of the affected software, other affected distro vendors, and/or affected Open Source projects before notifying one of these mailing lists in order to ensure that these other parties are OK with the maximum embargo period that would apply (and if not, then you may have to delay your notification to the mailing list), unless you're confident you'd choose to ignore their preference anyway and disclose the issue publicly soon as per the policy stated here.

When the security issue is finally to be made public, it is your (the original reporter's) responsibility to post about it to oss-security (indeed, you and others may also post to any other mailing lists, etc.) In your mandatory oss-security posting, you must include sufficient detail for non-members of these private lists to also fix the issue.

If you shared exploit(s) that are not an essential part of the issue description, then at your option you may slightly delay posting them to oss-security but you must post the exploits to oss-security within at most 7 days of making the mandatory posting above. If you exercise this option, you have two mandatory postings to make: first with a sufficiently detailed issue description (as requested above) and with an announcement of your intent to post the exploits separately (please mention exactly when), and second with the exploits - or indeed you could have included the exploits right away, in your first and only mandatory posting.

Please note that any/all list postings may be made public once the corresponding security issue is publicly disclosed, so please do not post information that you want to stay private forever. 4)

Version: GnuPG v1.4.10 (GNU/Linux)

1) Medium overall severity as estimated by risk probability and risk impact product. It is recommended that low severity security issues be reported to the public oss-security list right away, whereas high severity ones be reported to the affected vendors directly.
2) We're using a whitelist approach
3) And if it is “right now” or “already public”, then don't post to these lists, but post to oss-security only instead.
4) There was/is intent to be making all list postings public with a delay, which is currently not yet implemented for technical reasons, but it may be implemented and applied retroactively - that is, including to past postings.
mailing-lists/distros.txt · Last modified: 2017/06/25 15:55 by solar
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate to DokuWiki Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki Powered by OpenVZ Powered by Openwall GNU/*/Linux Bookmark and Share