Vendor-sec
Encyclopedia
vendor-sec was an electronic mailing list
dedicated to distributors of operating systems using (but not necessarily solely) free and open-source
software. The list was used to discuss potential distribution element (kernel, libraries, applications) security vulnerabilities, as well as to co-ordinate the release of security updates by members.
As of March 2011, after a security compromise, vendor-sec is no longer in use. Possible alternatives to it are being considered. The following text describes what vendor-sec was prior to March 2011 (it will need to be edited or/and reused to apply to a possible vendor-sec replacement if one appears):
Current members of the list include representatives from various Linux distributions, as well as a number of BSD distributions. The list does not make a distinction between commercial and non-commercial vendors.
The mailing list is unmoderated, but requests for membership are manually vetted to ensure that only the target audience may join. This is done to avoid leaking the potentially sensitive discussions, as vendor-sec members often have access to information about vulnerabilities before they become public.
Vendor-sec practices Responsible disclosure
.
As part of the conditions of use, information discovered through vendor-sec may not be disclosed ahead of time by vendors. The balance between the time it takes to analyse an issue versus the required confidentiality has been described as "delicate" and can cause frustration ("Going to vendor-sec ... creates inexcusable delays, [binds] you to confidentiality.").
Electronic mailing list
An electronic mailing list is a special usage of email that allows for widespread distribution of information to many Internet users. It is similar to a traditional mailing list — a list of names and addresses — as might be kept by an organization for sending publications to...
dedicated to distributors of operating systems using (but not necessarily solely) free and open-source
Foss
Foss may refer toPeople*Foss , people with the last name Foss*Foss Shanahan , New Zealand diplomat*Foss Westcott , English bishop...
software. The list was used to discuss potential distribution element (kernel, libraries, applications) security vulnerabilities, as well as to co-ordinate the release of security updates by members.
As of March 2011, after a security compromise, vendor-sec is no longer in use. Possible alternatives to it are being considered. The following text describes what vendor-sec was prior to March 2011 (it will need to be edited or/and reused to apply to a possible vendor-sec replacement if one appears):
Current members of the list include representatives from various Linux distributions, as well as a number of BSD distributions. The list does not make a distinction between commercial and non-commercial vendors.
The mailing list is unmoderated, but requests for membership are manually vetted to ensure that only the target audience may join. This is done to avoid leaking the potentially sensitive discussions, as vendor-sec members often have access to information about vulnerabilities before they become public.
Vendor-sec practices Responsible disclosure
Responsible disclosure
Responsible disclosure is a computer security term describing a vulnerability disclosure model. It is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details. Developers of hardware and software...
.
As part of the conditions of use, information discovered through vendor-sec may not be disclosed ahead of time by vendors. The balance between the time it takes to analyse an issue versus the required confidentiality has been described as "delicate" and can cause frustration ("Going to vendor-sec ... creates inexcusable delays, [binds] you to confidentiality.").