vendor-sec

As of March 2011, vendor-sec is no longer in use.

vendor-sec was a mailing list dedicated to distributors of operating systems using (but not necessarily solely comprised of) free and Open Source software. The list was used to discuss potential distribution element (kernel, libraries, applications) security vulnerabilities, as well as to coordinate the release of security updates by members.

Historically, vendor-sec started as a private communication channel for Linux vendors, and for distribution of CERT pre-release information in early 1997. However, vendor-sec was not restricted to Linux vendors, the distribution of pre-release information from CERT quickly ceased, and vendor-sec started to receive its own security vulnerability notifications from its members and from external reporters.

Vendor-sec was a forum for:

• Sharing knowledge about security vulnerabilities
• Sharing and discussing security fixes
• Coordinating release schedules for security updates

The intended audience of vendor-sec were:

• Linux distributions
• Linux companies
• Individual hackers working on Linux security
• Open Source projects with a large user base and/or high security exposure
• Other Open Source operating systems

The mailing list was unmoderated, but requests for membership were manually vetted to ensure that only the target audience could join. This was done to avoid leaking the potentially sensitive discussions.