oss-sec mailing list archives
Re: Vendor-sec hosting and future of closed lists
From: Kees Cook <kees () ubuntu com>
Date: Thu, 3 Mar 2011 13:36:40 -0800
On Thu, Mar 03, 2011 at 06:31:08PM +0000, Mark J Cox wrote:
We monitor how we first found out about every issue we eventually fix, and if we found out before or after the issue was public. For vendor-sec, during last calendar years date # issues in advance # issues already public 2008 69 32 2009 57 17 2010 29 22 That 29 represents just 4% of the total number of our vulnerabilities fixed in 2010. The median time of embargo for those 29 issues was 15 days (average 24)
This certainly underscores that very few flaws need vendor-sec coordination, but I would suspect that out of those roughly 725 flaws, many of the really critical ones came through vendor-sec. Does that match your records? (Ubuntu doesn't currently track the origin of flaws beyond giving credit, so I'm curious if RH's data matches my sense of critical flaw origin.) I'm also curious what "issues already public but found out about it on vendor-sec" means? Does that mean it was inappropriately brought to vendor-sec after it was already public, or that RH found out about it after it was public even though it had already been discussed privately on vendor-sec?
But I think that trend is what was expected, as upstream projects communicate with affected vendors directly, and we use oss-security for issues that don't need embargo or co-ordination.
Several upstreams, though disappointingly not the Linux kernel, are very good about keeping their end-users in mind and providing direct distro coordination for important security updates (MIT Kerberos comes to mind first as a great example). This number of upstreams has been growing, but it's not nearly large enough to supplant a vendor-sec-like mailing list, IMO. I'm all for the public disclosure of things that are low priority. But I think it's important to maintain coordination for really nasty flaws, otherwise we're in a position to really do a disservice to end-users. -Kees -- Kees Cook Ubuntu Security Team
Current thread:
- Vendor-sec hosting and future of closed lists Marcus Meissner (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Mark J Cox (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Kees Cook (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Steven M. Christey (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Greg KH (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Kees Cook (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Greg KH (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Dan Rosenberg (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Greg KH (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Dan Rosenberg (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Greg KH (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Michael Gilbert (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Greg KH (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Kees Cook (Mar 03)
- Re: Vendor-sec hosting and future of closed lists Mark J Cox (Mar 03)