Hello Folks, The official email address for this list is `freebsd-security@freebsd.org'. Due to convention, there is an email alias for this list: security@freebsd.org, just as there is for hackers@ & freebsd-hackers@, arch@ & freebsd-arch@, and so on. The security@freebsd.org alias has been the source of occassional problems. Several times in the past, postings have been made to that address under the assumption that address was directed to security response personnnel, and not a public mailing list. Of course, this was a reasonable assumption. Practically every vendor in the universe uses security@ for that purpose, largely because RFC 2142 strongly recommends it for that purpose. And sometimes one just makes a typo. It has not been too uncommon for people to forget the `-officer' part of `security-officer@freebsd.org'. (Yours truly has been guilty of this.) Mistaken early disclosure of a vulnerability can have consequences from the merely embarrasing to catastrophic. Therefore, I am proposing that `security@freebsd.org' be re-routed to the Security Officer. I imagine this will have some significant impact: there must be many references to security@freebsd.org as a public list out there. So, I thought I'd air the issue here before sending any request to postmaster@. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org
On Wed, 7 Apr 2004, Jacques A. Vidrine wrote:> Mistaken early disclosure of a vulnerability can have consequences > from the merely embarrasing to catastrophic. Therefore, I am > proposing that `security@freebsd.org' be re-routed to the Security > Officer. >perhaps re-routing to security-team@ would be better? just out of curiosity, how large is that group? are there any security response guidelines (etc) that have been published? -- Matthew George SecureWorks Technical Operations
On Wed, Apr 07, 2004 at 10:42:20AM -0500, Jacques A. Vidrine wrote:> Hello Folks, > > The official email address for this list is > `freebsd-security@freebsd.org'. Due to convention, there is an email > alias for this list: security@freebsd.org, just as there is for > hackers@ & freebsd-hackers@, arch@ & freebsd-arch@, and so on.[snip]> Mistaken early disclosure of a vulnerability can have consequences > from the merely embarrasing to catastrophic. Therefore, I am > proposing that `security@freebsd.org' be re-routed to the Security > Officer.And before you get a flood of nay-sayers, here's a "Go for it!" from at least one semi-lurker :) G'luck, Peter -- Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Nostalgia ain't what it used to be. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20040407/499630dc/attachment.bin
On Wed, Apr 07, 2004 at 10:42:20AM -0500, Jacques A. Vidrine wrote:> Mistaken early disclosure of a vulnerability can have consequences > from the merely embarrasing to catastrophic. Therefore, I am > proposing that `security@freebsd.org' be re-routed to the Security > Officer.A serious problem, with a good solution. A "yes" vote from me! -- Avleen Vig Systems Administrator Personal: www.silverwraith.com EFnet: irc.mindspring.com (Earthlink user access only)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 07 Apr 2004 10:42:20 -0500, Jacques A. Vidrine scribbled down: <snip>> Mistaken early disclosure of a vulnerability can have consequences > from the merely embarrasing to catastrophic. Therefore, I am > proposing that `security@freebsd.org' be re-routed to the Security > Officer.[...] I wholeheartedly agree! Go for it! :) -- -jamie <jamie@silverdream.org> | spamtrap: spam@silverdream.org w: http://www.silverdream.org | p: sms@silverdream.org pgp key @ http://silverdream.org/~jps/pub.key 02:30:01 up 5 days, 3:34, 11 users, load average: 0.03, 0.13, 0.16 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAd1ugx2omo/Dc/KgRAskwAKCh2DAhPT2f9qwKa7Dinm3UCQUC6gCfYPpx j0akV22BkvYbD6fjY8hxNs4=aNu3 -----END PGP SIGNATURE-----
Jacques A. Vidrine
2004-Apr-16 09:32 UTC
HEADS UP Re: Changing `security@freebsd.org' alias
Hello again, The change discussed earlier has been made. Email to <security@FreeBSD.org> now reaches the security team rather than any public list. If you find any references to <security@FreeBSD.org> as a public list, please let me know. It appears that there were none on the web site or handbook or FAQ, but there could be some I missed. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org On Wed, Apr 07, 2004 at 10:42:20AM -0500, Jacques A. Vidrine wrote:> Hello Folks, > > The official email address for this list is > `freebsd-security@freebsd.org'. Due to convention, there is an email > alias for this list: security@freebsd.org, just as there is for > hackers@ & freebsd-hackers@, arch@ & freebsd-arch@, and so on. > > The security@freebsd.org alias has been the source of occassional > problems. Several times in the past, postings have been made to that > address under the assumption that address was directed to security > response personnnel, and not a public mailing list. Of course, this > was a reasonable assumption. Practically every vendor in the universe > uses security@ for that purpose, largely because RFC 2142 strongly > recommends it for that purpose. > > And sometimes one just makes a typo. It has not been > too uncommon for people to forget the `-officer' part of > `security-officer@freebsd.org'. (Yours truly has been guilty of > this.) > > Mistaken early disclosure of a vulnerability can have consequences > from the merely embarrasing to catastrophic. Therefore, I am > proposing that `security@freebsd.org' be re-routed to the Security > Officer. > > I imagine this will have some significant impact: there must be > many references to security@freebsd.org as a public list out there. > So, I thought I'd air the issue here before sending any request to > postmaster@. > > Cheers, > -- > Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >