incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matthias Huetsch <>
Subject Re: [securityteam] OpenOffice Security Vulnerability Reporting
Date Thu, 07 Jul 2011 17:39:48 GMT
Hi Rob, all,

On 07.07.11 15:48, Rob Weir wrote:
> Bringing the threads together on the public list so we can (hopefully)
> quickly discuss.
> As I understand it now, the currently directs visitors
> to report vulnerability reports to This
> address is currently being monitored.


> And at Apache we ask vulnerabilities to be reported to
>, after which they are forwarded to the particular
> project's private email list where such matters can be analyzed in
> confidence, avoiding premature disclosure.

Okay, understood.

> Since the OpenOffice project is in the process of migrating to Apache,
> a process which will take several months, it is important that
> relevant information be shared, rapidly, confidentially and reliably.


> I'd like to propose something simple, namely that relevant information
> received by Apache should be quickly forwarded to
>, and that relevant information received by
> should be quickly forwarded to

Okay, sounds reasonable to me.

> Also, if has a list of other security
> contacts with whom they routinely share pre-public disclosure security
> information, we'd appreciate having that list, sent to our private
> list:

Well, as I said previously, all upstream projects, or distributions are 
(supposed to be) subscribed to, so there was 
no need for yet another private list (securityteam@ is already private).

> Regards,
> -Rob

Hope that helps,
Matthias Huetsch
Oracle Office Security Lead, Security Team

View raw message