incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: Shutdown of the securityteam@openoffice.org mailing
Date Mon, 19 Mar 2012 13:02:56 GMT
On Mon, Mar 19, 2012 at 8:44 AM, Michael Meeks <michael.meeks@suse.com> wrote:
<snip>
        * Do you commit to -immediately- forward any externally reported
>          security vulnerabilities vs. OO.o to the LibreOffice project ?
>
>        * If so - why not do this by advertising a cross-project
>          shared security list, following our example ?
>
>        * If not, why not ? & who does the forwarding & when ?
>

We (AOO Security Team) would contact the reporter of the issue to
determine their wishes. We would advise them if other products might
also be impacted.  We would direct them to security contacts for the
other products, or offer to share their report with those projects,
as-is or in anonymized form.

Some security reporters appreciate and trust sending sensitive reports
to an Apache address, where they have ongoing relations and
experience.  Some prefer this than sending to a list of unknown
composition and trustworthiness.

-Rob

Mime
View raw message