Stream: wg-secure-code

Topic: CVE handling as a service


Florian Gilcher (Aug 05 2019 at 09:45, on Zulip):

Is there a service that signs me up for all important things needed for running a project with secure practices (CVE registrations, etc.) _and_ gives me a safe channel to get in touch in one go?

Florian Gilcher (Aug 05 2019 at 09:45, on Zulip):

e.g. similar to such journalists mailbox services that were all the rage 5 years ago

Tony Arcieri (Aug 12 2019 at 15:23, on Zulip):

not that I'm aware of @Florian Gilcher, in fact, you might notice the RustSec FAQ specifically advises you handle that all in advance and disclose before filing an advisory so we don't have to deal with being part of an embargoed disclosure process because it's such a hassle :wink:

Florian Gilcher (Aug 12 2019 at 15:24, on Zulip):

I was less thinking about RustSec here, but it just seems that someone providing easy mailboxes for such stuff sounds like a reasonable thing (unless you are super paranoid about your supplier).

Tony Arcieri (Aug 12 2019 at 15:24, on Zulip):

honestly I dislike pretty much everything about CVE, and even though I am (or was, a decade ago) friends with the person behind DWF and iwantacve.org, all attempts to improve the process don't seem to be working

Tony Arcieri (Aug 12 2019 at 15:25, on Zulip):

the closest thing I can think of are GitHub's embargoed security issues

Tony Arcieri (Aug 12 2019 at 15:26, on Zulip):

which I would certainly prefer to GPG-encrypted email for initial vuln disclosures, heh

Florian Gilcher (Aug 12 2019 at 15:41, on Zulip):

Yeah, but I can only open them as a maintainer, I cannot have people open them.

Tony Arcieri (Aug 12 2019 at 15:57, on Zulip):

that is unfortunate

Last update: Nov 11 2019 at 22:05UTC