On Thu, Oct 24, 2002 at 12:16:23AM +0100, Steve Kemp wrote: > If a program is remotely exploitable/crashable should I: > > 1) Tell upstream only. > 2) Notify upstream and the Debian package maintainer > 3) Notify upstream and inform debian-security. > 4) Notify debian-qa too. Your best bet is to contact the security team at team@security.debian.org. Mail to security@debian.org should also work, since it goes to debian-private and insures that the people capable of fixing the problem are aware of it and (hopefully) keeps it out of the hands of the people who are going to do harm with it. If it seems likely that others will soon discover the bug, or possibly already have, then submit a bug against the package and add the "security" tag. Otherwise, keeping quiet about the problem will allow the security team to coordinate their work with other affected vendors. Of course, there are others out there who will probably tell you to report it to as many people as possible as quickly as possible under the assumption that the "Bad Guys" already have discovered the problem but have kept it quiet so as to compromise hosts without being discovered. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
Attachment:
pgpkEIihccgDr.pgp
Description: PGP signature