Dear Max,
I am also a simple Debian user.
Debian naturally follows the free software rules of the do-ocracy. Therefore, you can share the vulnerabilities you encounter in the software with both the upstream developers and the dedicated security team.
In addition, the customary law of open source communities allow you respectively to create or share:
a public and custom database in a public repository as your unofficial Common Vulnerabilities and Exposures project;
any vulnerability due to human factor, social engineering and software vulnerabilities through forums or a your personal blog.
Thanks for your enthusiasm, thanks to the open source communities and thanks to the Debian community and ... thanks to Edward Snowden for his courage.
Davide Prina <davide.prina@gmail.com>wrote:
> you must understand that who report a security problem can be a different person
The point is, to quote the paper:
"a vast majority of vulnerabilities and their corresponding security patches remain beyond public exposure"
Vulnerabilities are fixed in fresh versions of software. The versions in Stable stay vulnerable, even if all CVEs are reported to Debian (which I don't think is the case) and even if they are all fixed quickly (which is definitely not the case) It's a limitation of Debian's and RH's approach, compared to the rolling-release approach. This is one of the two things I mentioned that debian.org/security is not telling you.
> chromium has been removed from testing
That doesn't help people who trusted debian.org/security and are running it.
--
Sent with https://mailfence.com
Secure and private email