incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <apa...@robweir.com>
Subject OpenOffice Security Vulnerability Reporting
Date Thu, 07 Jul 2011 13:48:48 GMT
Bringing the threads together on the public list so we can (hopefully)
quickly discuss.

As I understand it now, the OpenOffice.org currently directs visitors
to report vulnerability reports to securityteam@openoffice.org. This
address is currently being monitored.

And at Apache we ask vulnerabilities to be reported to
security@apache.org, after which they are forwarded to the particular
project's private email list where such matters can be analyzed in
confidence, avoiding premature disclosure.

Since the OpenOffice project is in the process of migrating to Apache,
a process which will take several months, it is important that
relevant information be shared, rapidly, confidentially and reliably.

I'd like to propose something simple, namely that relevant information
received by Apache should be quickly forwarded to
securityteam@openoffice.org, and that relevant information received by
securityteam@openoffice.org should be quickly forwarded to
security@apache.org.

Also, if securityteam@openoffice.org has a list of other security
contacts with whom they routinely share pre-public disclosure security
information, we'd appreciate having that list, sent to our private
list: ooo-private@incubator.apache.org.

Regards,

-Rob

Mime
View raw message