This is an old revision of the document!
As of March 2011, vendor-sec is no longer in use.
vendor-sec was a mailing list dedicated to distributors of operating systems using (but not necessarily solely comprised of) free and Open Source software. The list was used to discuss potential distribution element (kernel, libraries, applications) security vulnerabilities, as well as to coordinate the release of security updates by members.
Historically, vendor-sec started as a private communication channel for Linux vendors, and for distribution of CERT pre-release information in early 1997. However, vendor-sec was not restricted to Linux vendors, the distribution of pre-release information from CERT quickly ceased, and vendor-sec started to receive its own security vulnerability notifications from its members and from external reporters.
Vendor-sec was a forum for:
The intended audience of vendor-sec were:
The mailing list was unmoderated, but requests for membership were manually vetted to ensure that only the target audience could join. This was done to avoid leaking the potentially sensitive discussions.
As an experiment, a new mailing list was setup with membership limited to Linux distribution security contacts. Moreover, the initial seed membership was also limited to those Linux vendors who were on vendor-sec. New subscription requests are discussed in public on oss-security.
Currently on the new list are:
To report a medium severity 1) security issue to the list, send e-mail to linux [dash] distros [at] vs [dot] openwall [dot] org, preferably PGP-encrypted to the key below. If you choose not to PGP-encrypt your mail, then you must include [vs]
(four characters) in the Subject line, or your message will be rejected by the mail server (for anti-spam reasons).
Please note that the maximum acceptable embargo period for issues disclosed to the list is 14 days; please do not ask for a longer embargo. If the security issue you're reporting affects non-Linux systems as well, please consider notifying other affected vendors as well and mention what you're doing on this or what you'd like done in your notification to the list.
If you do not hear back within 48 hours, please send another message to inquire whether your initial message has in fact been received.
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.10 (GNU/Linux) mQENBE2YijgBCADJ7gsXv583bcxm7D4gGCjqUuNv+qLj6fgB+/QNFOM0z3OB2YNj 3oaBRSR5DKhDRvHmNRbXTvNO7OjzPojMmkDlq2UgcmGHIrYraw9q/e1Hpom4dF+O 1dIMwyOZ1WARtlR5znd3hwkGrGiFnkLqDJDLKXUn/rSbRTFhay1zv1dAknR4/+zJ 74YBhZo95zVYA7piF0VmDvXDK+9R3bQM0SgoThyfdiQQMpoFd48y0jFtcbrQlVgU 7M5l/6JKTqANqxG3Qeilavqg9jG1AQyrGJCoCI6ItgDk1AyHB8hLHN6QVQl9XPpC Uo5oXYpzPcMpdKzhnMD6/AzF+z6UEHmcmArtABEBAAG0PkxpbnV4IGRpc3RybyBz ZWN1cml0eSBjb250YWN0cyA8bGludXgtZGlzdHJvc0B2cy5vcGVud2FsbC5vcmc+ iQE4BBMBAgAiBQJNmIo4AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDW zkyuR+r385KNB/0RyvjAjy6Zz2+UDq4JzR8aAt0DAScycD/1jWMBzwncBrkoXG0v yJ+m5AFtXcHRKGYgfZ8Aothpe5vi/fnQnuAzz2RyGDw15/7wyXWsA3rbWELCxx13 iLfFrFAXboM7FlGCCdALosEaJBM2gAuCNouxraFWXVOKXUPyJ1Kpry9AIffQJWD3 2Zzn2xsPbd02Fa6nLUWf+g3608RzqUv0TZmaFu4cFjGZkrx+RejUaSchPaf9Mqal PlIQSMBsYgZlKYVcIXGXlSA3iXhFzcLgzlwcL6MMtK+iK7UJBXMCmw1GjrTsUcY0 qeJFZzJ43wf/AoamAHKmOQIqxxIfebJX/98riEYEEBECAAYFAk2YuO4ACgkQovwC fFs0HxW8yQCfTFiGhEsDJyPRAXmBXMWEDxYq4gwAoICEzh0+CHUWazrIcHh4D7wl zYwluQENBE2YijgBCACkA8GQr4IYbrPU5qDsTLvlL3YU8Bekg1HlhKOC+gr8/PqI 09fQMaWBM9n79/ss4ZaS3IAX/S0HZtfpmfNc36FMTlpJRnbY1tF3NqjeIHJUGaf+ 0jXTInRdOxq0U0jHqW/GLr6rNjxLFhhtFI7Y622vPf03cvZYd/pBjyYlZCHAxeRC 0OqfXLUiNLr2L0LptUO8RsWUhZJtEW65fjn0heka/eh/P+IINQrA5ranVohv6tST ucL8blHr91AfiNw9oI0VYI8jvkVQx+cjgJeTYlOegqzZ3Vq+une21nkLd9nbuauJ Q7lodfhzH6yUrTQjwUpxi/udXNFFIJFuM6IAAGkfABEBAAGJAR8EGAECAAkFAk2Y ijgCGwwACgkQ1s5Mrkfq9/O7fgf/WYnIqcEQivO9SB90O1jplJP55HZoIUwf4Rrp Y9Nbz3nG2qXo1b68kw/O/zggU90K3oJ+yzsyETLAOH5+nrOPBxjrGIYbVsEMt+Vf W+7WahYvh30IJWLMy3Xv3v7uzHzP5T81FnwJyja85Y56rLyaYhk9E3KYcJ1phaYW oFDQuioFUFDi6TV5WK13B5d/InTy/4uQDzOWPE0Ev8RTZex7hDx+SxwASszQnghn ovWWEa96Gh5fpdoyWpBE9Na/9Hz2y8RO+Okctct4xdZZFYcEg4wpnFigCBFIq+jx K4LI8Y1o8SiVLMztF+knDaZxohs+7BWYGzsWvsYOGqTMkBM5IQ== =tqdz -----END PGP PUBLIC KEY BLOCK-----