[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposal/suggestion for security team w.r.t. published vulerabilities

On Sat, Jul 10, 2004 at 12:29:11PM +0200, Florian Weimer wrote:
> * Adrian von Bidder:
> > I think Jeroen is thinking about security problems the security team 
> > already knows about but has not yet had time to handle (and which have 
> > already been made public somewhere else.) Stupid if somebody has to 
> > search the sources *again* if the security team already has the 
> > information.
> Actually, it's rather time-consuming to determine if a security
> vulnerability has been published.  You have to discover the
> publication, and then you have to decide whether it's actually the
> same issue and if it's been disclosed completely.

The first thing that is being done when a security issue gets to the
security team, is assign a CAN-number after it's verified. CAN entries
are either simply 'reserved' and hidden for the general public, at some
time, the content is set open for the public. I guess/assume that
opening up is mailed to the security team in some  way, or otherwise
noticed. Then sending a mail to submit@b.d.o with a cut&paste (yank &
put) of the CAN/CVE description shouldn't be that much effort.

But, this all IMHO, and it is still a wishlist request.
> Filing bug reports about public issues is something any DD or user can
> do.  I don't think this should be added to the duties of the security
> team.  I'd appreciate if they commented on new security bugs that are
> tagged woody, though.

The security team monitors every bugreport tagged security, I had it
happen that the security time responed earlier to a bug like that than I
had the chance... So, they do already.


Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)

Reply to: