This is an old revision of the document!

vendor-sec

As of March 2011, vendor-sec is no longer in use.

vendor-sec was a mailing list dedicated to distributors of operating systems using (but not necessarily solely comprised of) free and Open Source software. The list was used to discuss potential distribution element (kernel, libraries, applications) security vulnerabilities, as well as to coordinate the release of security updates by members.

Historically, vendor-sec started as a private communication channel for Linux vendors, and for distribution of CERT pre-release information in early 1997. However, vendor-sec was not restricted to Linux vendors, the distribution of pre-release information from CERT quickly ceased, and vendor-sec started to receive its own security vulnerability notifications from its members and from external reporters.

Vendor-sec was a forum for:

Sharing knowledge about security vulnerabilities
Sharing and discussing security fixes
Coordinating release schedules for security updates

The intended audience of vendor-sec were:

Linux distributions
Linux companies
Individual hackers working on Linux security
Open Source projects with a large user base and/or high security exposure
Other Open Source operating systems

The mailing list was unmoderated, but requests for membership were manually vetted to ensure that only the target audience could join. This was done to avoid leaking the potentially sensitive discussions.

Linux distribution security contacts list

As an experiment, a new mailing list was setup with membership limited to Linux distribution security contacts. Moreover, the initial seed membership was also limited to those Linux vendors who were on vendor-sec. New subscription requests are discussed in public on oss-security.

Currently on the new list are:

ALT Linux
CentOS
Debian
Frugalware
Gentoo
Mandriva
MontaVista Software
Openwall
Oracle
Pardus
Red Hat
SUSE
Slackware
Ubuntu
Wind River
rPath

To report a medium severity ¹⁾ security issue to the list, send e-mail to linux [dash] distros [at] vs [dot] openwall [dot] org, preferably PGP-encrypted to the key below. If you choose not to PGP-encrypt your mail, then you must include [vs] (four characters) in the Subject line, or your message will be rejected by the mail server (for anti-spam reasons).

Please note that the maximum acceptable embargo period for issues disclosed to the list is 14 days; please do not ask for a longer embargo. If the security issue you're reporting affects non-Linux systems as well, please consider notifying other affected vendors as well and mention what you're doing on this or what you'd like done in your notification to the list.

If you do not hear back within 48 hours, please send another message to inquire whether your initial message has in fact been received.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.10 (GNU/Linux)

mQENBE2YijgBCADJ7gsXv583bcxm7D4gGCjqUuNv+qLj6fgB+/QNFOM0z3OB2YNj
3oaBRSR5DKhDRvHmNRbXTvNO7OjzPojMmkDlq2UgcmGHIrYraw9q/e1Hpom4dF+O
1dIMwyOZ1WARtlR5znd3hwkGrGiFnkLqDJDLKXUn/rSbRTFhay1zv1dAknR4/+zJ
74YBhZo95zVYA7piF0VmDvXDK+9R3bQM0SgoThyfdiQQMpoFd48y0jFtcbrQlVgU
7M5l/6JKTqANqxG3Qeilavqg9jG1AQyrGJCoCI6ItgDk1AyHB8hLHN6QVQl9XPpC
Uo5oXYpzPcMpdKzhnMD6/AzF+z6UEHmcmArtABEBAAG0PkxpbnV4IGRpc3RybyBz
ZWN1cml0eSBjb250YWN0cyA8bGludXgtZGlzdHJvc0B2cy5vcGVud2FsbC5vcmc+
iQE4BBMBAgAiBQJNmIo4AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDW
zkyuR+r385KNB/0RyvjAjy6Zz2+UDq4JzR8aAt0DAScycD/1jWMBzwncBrkoXG0v
yJ+m5AFtXcHRKGYgfZ8Aothpe5vi/fnQnuAzz2RyGDw15/7wyXWsA3rbWELCxx13
iLfFrFAXboM7FlGCCdALosEaJBM2gAuCNouxraFWXVOKXUPyJ1Kpry9AIffQJWD3
2Zzn2xsPbd02Fa6nLUWf+g3608RzqUv0TZmaFu4cFjGZkrx+RejUaSchPaf9Mqal
PlIQSMBsYgZlKYVcIXGXlSA3iXhFzcLgzlwcL6MMtK+iK7UJBXMCmw1GjrTsUcY0
qeJFZzJ43wf/AoamAHKmOQIqxxIfebJX/98riEYEEBECAAYFAk2YuO4ACgkQovwC
fFs0HxW8yQCfTFiGhEsDJyPRAXmBXMWEDxYq4gwAoICEzh0+CHUWazrIcHh4D7wl
zYwluQENBE2YijgBCACkA8GQr4IYbrPU5qDsTLvlL3YU8Bekg1HlhKOC+gr8/PqI
09fQMaWBM9n79/ss4ZaS3IAX/S0HZtfpmfNc36FMTlpJRnbY1tF3NqjeIHJUGaf+
0jXTInRdOxq0U0jHqW/GLr6rNjxLFhhtFI7Y622vPf03cvZYd/pBjyYlZCHAxeRC
0OqfXLUiNLr2L0LptUO8RsWUhZJtEW65fjn0heka/eh/P+IINQrA5ranVohv6tST
ucL8blHr91AfiNw9oI0VYI8jvkVQx+cjgJeTYlOegqzZ3Vq+une21nkLd9nbuauJ
Q7lodfhzH6yUrTQjwUpxi/udXNFFIJFuM6IAAGkfABEBAAGJAR8EGAECAAkFAk2Y
ijgCGwwACgkQ1s5Mrkfq9/O7fgf/WYnIqcEQivO9SB90O1jplJP55HZoIUwf4Rrp
Y9Nbz3nG2qXo1b68kw/O/zggU90K3oJ+yzsyETLAOH5+nrOPBxjrGIYbVsEMt+Vf
W+7WahYvh30IJWLMy3Xv3v7uzHzP5T81FnwJyja85Y56rLyaYhk9E3KYcJ1phaYW
oFDQuioFUFDi6TV5WK13B5d/InTy/4uQDzOWPE0Ev8RTZex7hDx+SxwASszQnghn
ovWWEa96Gh5fpdoyWpBE9Na/9Hz2y8RO+Okctct4xdZZFYcEg4wpnFigCBFIq+jx
K4LI8Y1o8SiVLMztF+knDaZxohs+7BWYGzsWvsYOGqTMkBM5IQ==
=tqdz
-----END PGP PUBLIC KEY BLOCK-----

¹⁾ Medium overall severity as estimated by risk probability and risk impact product. It is recommended that low severity security issues be reported to the public oss-security list right away, whereas high severity ones be reported to the affected vendors directly.