Important: You are required to change your passwords used for Gentoo services and set an email address for your Wiki account if you haven't done so. See the full announcement and Wiki email policy change for more information.

Project:Security/Affiliations

From Gentoo Wiki
< Project:Security
Revision as of 13:20, 22 September 2013 by Ackle (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This document details the groups that the Gentoo Linux Security Team is a part of or working with in order to coordinate vulnerabilities.

Introduction

What and why

The Gentoo Linux Security Team is dedicated to an open development process and supports responsible disclosure. This means we closely collaborate with software upstreams, other distributions, security researchers and CERTs to ensure the security of our distribution.

Our group affiliations allow us to access vulnerability information and receive notifications as early as possible. As participants in a coordinated release process, we are able to assess vulnerabilities before they publicly known. We work with Gentoo developers, upstream and other distributions to prepare updates that reach Gentoo users as soon as the vulnerability is public. We commit ourselves to publish all our own findings, but we respect if third parties decide to keep certain information private.

Members and contributors of the Security team should review this list before attempting to become part of a mailing list. Any such requests are to be discussed internally and acknowledged by a team lead first.

Affiliations

linux-distros

Gentoo is part of the distros and linux-distros mailing list. The mailing list discusses vulnerabilities in several free software products and is often used for coordinated disclosure.

Current members: a3li, craig

oCERT

Gentoo is a member of oCERT ever since its incarnation in 2008. The Open Source Computer Emergency Response Team is an effort to assist free software projects in vulnerability management and usually performs responsible disclosure. We are proud to say that three of the five oCERT founding team members are former Gentoo developers.

CERT/CC

Gentoo is a listed vendor with the CERT Coordination Center (CERT/CC) . We receive general vulnerability notifications through the most widely known CERT.

Current members: a3li, keytoaster

WebKit Security

Gentoo is part of the WebKit Security mailing list and bugzilla group since 2009. This group discusses vulnerabilities in products based on the WebKit web browsing engine, such as WebKit-GTK, Qt 4 and Google Chrome.

Current members : a3li, keytoaster

Mozilla Security

Gentoo is seeking membership of the Mozilla Security Group .

Current members : none.

OpenOffice.org

Gentoo is part of the OpenOffice.org Security Group .

Current members: a3li, suka.

Samba

Gentoo is subscribed to the samba-pkg-sec mailing list where advance Samba announcements are distributed.

oss-security

Gentoo is a member of the oss-security mailing list since it was founded in 2008. It is a public discussion channel targeted towards security flaws in free software.

CVE

Gentoo is committed to the Common Vulnerabilities and Exposures project that seeks to enumerate information vulnerabilities. We automatically monitor the CVE feed for vulnerabilities and are seeking for our GLSAs and Bugzilla channels to output CVE identifiers. We are seeking CVE-Compatible status in the near future.

Secunia

Gentoo is using vulnerability feeds provided by Secunia in order to improve vulnerability assessment and workflow automation.

Acknowledgements

We would like to thank the following authors and editors for their contributions to this guide:

  • Robert Buchholz
  • Alex Legler