OSS-Security

about

2008-05-23T04:20:10+02:00

The Open Source Security (oss-security) wiki and mailing list are a product of co-operation amongst various open source software vendors, projects, and researchers. The purpose of the oss-security group is to encourage public discussion of security flaws, concepts, and practices in the Open Source community.

code-reviews

2010-11-08T22:28:41+02:00

This page will hopefully soon consist of many code review reports with proper description of project/version/architecture/possible flaws and security relevant patches. As a start, I will add some packages which are common across a lot of Linux distributions and have been identified as a potential risk since they either run privileged or with network input. Feel free to add other OS's or move to another, separate, page. The intention is NOT to enumerate all possibly problematic packages such as …

development-guide

2025-11-15T07:25:56+02:00

Introduction Welcome to the Secure OSS Development Guide. The goal of this wiki is to provide a list of best practices that are recommended for securely developing an open source project. Note: This development guide is currently a work in progress. At this point the guide should not be considered complete, and current content will not necessarily be included in the final draft.

disclosure

2013-10-24T01:28:37+02:00

Flaw Disclosure Anytime an individual discovers a security flaw, there are certain steps that should be taken to ensure that the details of the flaw are disclosed in a responsible and acceptable manner. Reporting a flaw in open source software poses a number of unique challenges compared to the closed source counterparts.

distro-patches

2019-07-12T14:45:43+02:00

This page lists how to find and extract patches from various open source-providing vendors, such as distributors of Linux, *BSD, and other related operating systems. See the general Vendor information page for details on where to find security announcements.

exploit-mitigation

2016-01-02T13:22:16+02:00

There are a number of exploit mitigation techniques to reduce the impact of common C vulnerabilities. Unfortunately they are not as widely used as they should in free operating systems. For ASLR to work properly Linux needs position independent code and position independent executables (CFLAGS -fpic and -pie). Currently most Linux distributions don't enable pie by default.

infrastructure

2008-05-27T19:54:22+02:00

This page lists security contacts, status links, etc. for various open source-providing infrastructure folks. When adding to this page, please include the following vendor information: * email address for the security contact * link to FAQ * link to network/service status information (i.e. scheduled down-times) * link to issue tracker (i.e. Bugzilla)

links

2025-11-15T07:31:58+02:00

Here is a list of other websites with OSS-security-related information (be it articles, tutorials, general information, etc.) Vulnerability databases and security advisory archives * - MITRE's CVE (Common Vulnerabilities and Exposures) dictionary * - NIST's NVD (National Vulnerability Database) * - OSVDB (The Open Source Vulnerability Database) * - LinuxSecurity.com adv…

mailing-lists

2023-08-09T13:04:43+02:00

This page provides links to a number of security-related mailing list resources. Public Lists * : The open source software security mailing list (oss-security), which is a counter-part to this wiki. This is a public mailing list for anyone to subscribe to. Non-members may post to the list, however their messages will be moderated before release. This list is an open list for open source software authors and vendors to discuss public security issues. * o…

mailinglists

2008-05-23T04:36:27+02:00

This page has moved.

software

2025-04-01T19:40:56+02:00

This is a list of various open source software projects with links to security contacts for the project. Please only list those projects that do have a security contact to list! The contact may be an email address or a web page with more information.

tools

2026-03-13T15:09:25+02:00

This page will give you some hints about various tools that might be used to uncover security vulnerabilities and perform code reviews. Please note that the tools listed here have been recommended by various individuals who participate in the oss-security mailing list and there are no guarantees, so please take time to carefully evaluate any tools that you use.

vendors

2025-04-10T04:36:33+02:00

This page lists security contacts, bug tracker links, links to advisories, etc. for various open source-providing vendors, such as distributors of Linux, *BSD, and other related operating systems. When adding to this page, please include the following vendor information:

welcome

2018-09-07T15:25:29+02:00

Welcome to the Open Source Software Security Wiki. This wiki provides information on a variety of open source security resources and “best practices” information. It is also the counterpart to the oss-security mailing list. Please note that registration on this wiki is distinct from mailing list subscription; you're not automatically subscribed when you register on the wiki.

whattodo

2013-10-24T01:30:11+02:00

See also: disclosure This page is designed to teach folks who may not be familiar with security what the generally accepted procedures are, and why they exist. When a user or security researcher submits a bug to a maintainer of an open-source project, there are a number of factors that determine the proper course of action. The most basic is who is known to consume the software. If all your users obtain the code directly from your site, do not modify it, and are not known to redistribute it,…