vendor-sec is a mailing list dedicated to distributors of operating systems using (but not necessarily solely comprised of) free and open-source software.
The list is used to discuss potential distribution element (kernel, libraries, applications) security vulnerabilities, as well as to co-ordinate the release of security updates by members.
Historically, vendor-sec started as a private communication channel for Linux vendors, and for distribution of CERT pre-release information in early 1997. However, vendor-sec is not restricted to Linux vendors.
Vendor-sec is a forum for:
The intended audience of vendor-sec are:
The mailing list is unmoderated, but requests for membership are manually vetted to ensure that only the target audience may join. This is done to avoid leaking the potentially sensitive discussions, as vendor-sec members often have access to information about vulnerabilities before they become public.
If you want to join the list, try to find a “sponsor”, i.e. a vendor-sec member willing to vouch for you. Send a message to vendor-sec explaining why you want to join the list. Your application will then be discussed and voted upon by the vendor-sec members.
We encourage people who are actively researching vulnerabilities to share them with vendor-sec first, although there is a fair bit of overlap between vendor-sec and oss-security in the case where discussions are public. If you post as a non-member to this list, please ensure that you request verification that the mail arrived and action on it is being taken. If no reply is made within 48 hours, please make an attempt to contact vendor [dash] sec [dash] admin [at] lst [dot] de and/or resend the message.