This shows you the differences between two versions of the page.
|
mailing-lists:oss-security [2009/10/14 00:23] solar link to the SecLists.Org archive and RSS feed |
mailing-lists:oss-security [2024/02/28 03:54] (current) solar Convert links from http to https |
||
|---|---|---|---|
| Line 3: | Line 3: | ||
| The purpose of the Open Source Security (oss-security) group is to encourage public discussion of security flaws, concepts, and practices in the Open Source community. The members of this group include, but are not limited to Open Source projects, distributors, researchers, and developers. | The purpose of the Open Source Security (oss-security) group is to encourage public discussion of security flaws, concepts, and practices in the Open Source community. The members of this group include, but are not limited to Open Source projects, distributors, researchers, and developers. | ||
| + | |||
| ===== List Membership and Moderation ===== | ===== List Membership and Moderation ===== | ||
| Line 10: | Line 11: | ||
| Anyone can send mail to the mailing list at <oss-security@lists.openwall.com>, regardless of membership status. Non-members, and new members will have their messages to the mailing list moderated to ensure that the discussions remain on topic and stay positive. Once a person has shown themselves to be a responsible community member, their messages to the list will no longer be moderated. | Anyone can send mail to the mailing list at <oss-security@lists.openwall.com>, regardless of membership status. Non-members, and new members will have their messages to the mailing list moderated to ensure that the discussions remain on topic and stay positive. Once a person has shown themselves to be a responsible community member, their messages to the list will no longer be moderated. | ||
| - | Anyone is welcome to [[http://oss-security.openwall.org/subscribe|subscribe to the mailing list]] by sending an empty message to <oss-security-subscribe@lists.openwall.com> or entering the e-mail address on the [[http://oss-security.openwall.org/subscribe|subscription page]]. You will be **required to confirm your subscription by "replying" to the automated confirmation request** that will be sent to you. You will be able to unsubscribe at any time and we will not use your e-mail address for any other purposes or share it with a third party. However, if you post to the list, other subscribers and those viewing the archives may see your address(es) as specified on your message. | + | Anyone is welcome to [[https://oss-security.openwall.org/subscribe|subscribe to the mailing list]] by sending an empty message to <oss-security-subscribe@lists.openwall.com> or entering the e-mail address on the [[https://oss-security.openwall.org/subscribe|subscription page]]. You will be **required to confirm your subscription by "replying" to the automated confirmation request** that will be sent to you. You will be able to [[./oss-security/unsubscribe|unsubscribe]] at any time and we will not use your e-mail address for any other purposes or share it with a third party. However, if you post to the list, other subscribers and those viewing the archives may see your address(es) as specified on your message. |
| Please note that **registration on this wiki is //distinct// from mailing list subscription**; you're **not** automatically subscribed when you register on the wiki. | Please note that **registration on this wiki is //distinct// from mailing list subscription**; you're **not** automatically subscribed when you register on the wiki. | ||
| - | A read-only archive of the discussions contained on the list is available to the general public [[http://www.openwall.com/lists/oss-security/|locally]], as well as via [[http://dir.gmane.org/gmane.comp.security.oss.general|Gmane]], [[http://marc.info/?l=oss-security|MARC]], and | + | A read-only archive of the discussions contained on the list is available to the general public [[https://www.openwall.com/lists/oss-security/|locally]], as well as via [[https://marc.info/?l=oss-security|MARC]] and |
| - | [[http://seclists.org/oss-sec/|SecLists.Org]] | + | [[https://seclists.org/oss-sec/|SecLists.Org]] |
| - | ([[http://seclists.org/rss/oss-sec.rss|RSS feed]]). | + | ([[https://seclists.org/rss/oss-sec.rss|RSS feed]]). |
| - | Additionally, you may [[http://twitter.com/oss_security|follow oss_security on Twitter]]. | + | Additionally, there is Twitter account [[https://twitter.com/oss_security|oss_security]]. |
| ===== List Content Guidelines ===== | ===== List Content Guidelines ===== | ||
| Line 23: | Line 24: | ||
| * English please | * English please | ||
| * Plain text mail required (no HTML-only messages) | * Plain text mail required (no HTML-only messages) | ||
| - | * This is a security list. Some off-topic discussion is acceptable, but often it just turns into a long messy thread where nobody gets along. Try to stick to the topic of security | + | * When applicable, the message **Subject must include the name and version(s) of affected software, and vulnerability type**. For example, a Subject saying only "CVE-2099-99999" is not appropriate, whereas "CVE-2099-99999: Acme Placeholder 1.0 buffer overflow" would be OK. |
| - | * Public security issues only please. What you say here is public for the world to see - keep that in mind. Embargoed information is best disclosed to [[:mailing-lists:vendor-sec|vendor-sec]] | + | * At least **the most essential part of your message (e.g., vulnerability detail and/or exploit) should be directly included in the message itself** (and in plain text), rather than only included by reference to an external resource. Posting links to relevant external resources as well is acceptable, but posting only links is not. Your message should remain valuable even with all of the external resources gone. |
| - | * Please don't send fully working exploits (but testcases that exercise the flaw are welcome) | + | * This is a security list. Try to stick to the topic of security without digressing into other aspects except as it might be necessary to discuss the security aspects in their proper context. |
| - | * Security advisories aimed at end-users only are not welcome (e.g., those from a distribution vendor announcing new pre-built packages). There has to be desirable information for others in the Open Source community (e.g., an upstream maintainer may announce a new version of their software with security fixes to be picked up by distributors). | + | |
| * Please keep discussions relevant to Open Source software. This is not a list to discuss the behavior or problems with closed source software or companies. | * Please keep discussions relevant to Open Source software. This is not a list to discuss the behavior or problems with closed source software or companies. | ||
| + | * Any security issues that you post to oss-security should be either already public or to be made public by your posting ((Some kinds of embargoed information (intended for public disclosure in at most 2 weeks) may initially be disclosed to [[:mailing-lists:distros|distros]], but by doing so **you accept responsibility** to also bring the issue to oss-security, and in most cases you should just post to oss-security right away instead of ever posting to distros)) | ||
| + | * Security advisories aimed at end-users only are not welcome (e.g., those from a distribution vendor announcing new pre-built packages). There has to be desirable information for others in the Open Source community (e.g., an upstream maintainer may announce a new version of their software with security fixes to be picked up by distributors). | ||
| + | * Occasional announcements of Open Source security tools (and relevant features of non-security tools) are acceptable, but only for initial announcements and major updates (not for minor updates). Especially desirable are news on tools/features aimed to enhance security of other Open Source software. | ||
| + | * Please don't post conference CFPs, (e-)magazine calls for articles, and survey questionnaires. (These are generally cross-posted to lots of places, and oss-security list members have expressed that they do not want to see them here.) | ||
| + | * Please don't cross-post messages to oss-security and other mailing lists at once, especially not to high-volume lists such as LKML and netdev, as this tends to result in threads that wander partially or fully off-topic (e.g., Linux kernel coding style detail may end up being discussed in comments to a patch posted to LKML, but it would be off-topic for oss-security). If you feel that something needs to be posted to oss-security and to another list, please make separate postings. You may mention the other posting(s) in your oss-security posting, and even link to other lists' archives. | ||
| + | |||
| + | ===== CVE Requests ===== | ||
| + | |||
| + | Previously, one could request CVE IDs for issues in Open Source software from oss-security. This is no longer the case. Instead, please start by posting about the (to be made) public issue to oss-security (without a CVE ID), request a CVE ID [[https://cveform.mitre.org|from MITRE directly]], and finally "reply" to your own posting when you also have the CVE ID to add. With the described approach you would only approach MITRE after the issue is already public, but if you choose to do things differently and contact MITRE about an issue that is not yet public, then please do not disclose to them more than [[https://www.openwall.com/lists/oss-security/2015/04/14/3|the absolute minimum]] needed for them to assign a CVE ID. | ||
| ====== Contact Information ====== | ====== Contact Information ====== | ||
| If you experience any problems with mailing list subscription or setup, or have suggestions on improving it, please contact us at <listadmin@oss-security.openwall.org>. | If you experience any problems with mailing list subscription or setup, or have suggestions on improving it, please contact us at <listadmin@oss-security.openwall.org>. | ||