Hi Alexander, As a researcher, I find the distros list a useful resource to enable quick and simultaneous notification of many open source OS distributions.
> When it became apparent that this was to be violated since one or two of > the affected upstreams wanted much more time, the reporter (Timothy D. > Morgan of VSR Security) explained that at the time of his initial > notification he had thought that 14 days would in fact be enough. While > this sounds like a rather fundamental problem with a maximum embargo time > policy (it is always possible that something new is discovered during > discussion, which may invalidate the initial time estimate of the > reporter), I've just added the following verbiage to hopefully reduce the > number of such occurrences going forward: > > "If you have not yet notified upstream projects/developers of the affected > software, other affected distro vendors, and/or affected Open Source > projects, you may want to do so before notifying one of these mailing > lists in order to ensure that these other parties are OK with the maximum > embargo period that would apply (and if not, then you may have to delay > your notification to the mailing list), unless you're confident you'd > choose to ignore their preference anyway and disclose the issue publicly > soon as per the policy stated here." I think this is a good idea. I likely misunderstood the process you want researchers to follow when it comes to using the distros list. While I think the time to release for this issue was excessive, I should have nailed down a release date with the upstreams prior to notifying the distros list. I'll reserve some additional comments for the oss-security list exclusively. Thanks, tim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
