This document details the groups that the Gentoo Linux Security Team is a part of or working with in order to coordinate vulnerabilities.
What and why
The Gentoo Linux Security Team is dedicated to an open development process and supports responsible disclosure. This means we closely collaborate with software upstreams, other distributions, security researchers and CERTs to ensure the security of our distribution.
Our group affiliations allow us to access vulnerability information and receive notifications as early as possible. As participants in a coordinated release process, we are able to assess vulnerabilities before they publicly known. We work with Gentoo developers, upstream and other distributions to prepare updates that reach Gentoo users as soon as the vulnerability is public. We commit ourselves to publish all our own findings, but we respect if third parties decide to keep certain information private.
Members and contributors of the Security team should review this list before attempting to become part of a mailing list. Any such requests are to be discussed internally and acknowledged by a team lead first.
Gentoo is part of the distros and linux-distros mailing list. The mailing list discusses vulnerabilities in several free software products and is often used for coordinated disclosure.
Gentoo is a member of oCERT ever since its incarnation in 2008. The Open Source Computer Emergency Response Team is an effort to assist free software projects in vulnerability management and usually performs responsible disclosure. We are proud to say that three of the five oCERT founding team members are former Gentoo developers.
Gentoo is a listed vendor with the CERT Coordination Center (CERT/CC) . We receive general vulnerability notifications through the most widely known CERT.
Gentoo is part of the WebKit Security mailing list and bugzilla group since 2009. This group discusses vulnerabilities in products based on the WebKit web browsing engine, such as WebKit-GTK, Qt 4 and Google Chrome.
Gentoo is seeking membership of the Mozilla Security Group .
Current members : none.
Gentoo is subscribed to the samba-pkg-sec mailing list where advance Samba announcements are distributed.
Gentoo is a member of the oss-security mailing list since it was founded in 2008. It is a public discussion channel targeted towards security flaws in free software.
Gentoo is committed to the Common Vulnerabilities and Exposures project that seeks to enumerate information vulnerabilities. We automatically monitor the CVE feed for vulnerabilities and are seeking for our GLSAs and Bugzilla channels to output CVE identifiers. We are seeking CVE-Compatible status in the near future.
Pre-Release Disclosure of Vulnerabilities to DevelopersAs part of this pre-disclosure the security team maintains a Pre-Release Disclosure of Vulnerability Information Agreement, and has a list of developers that have acknowledge the agreement. The Gentoo Security team will involve these developers on a need to know basis on behalf of the Gentoo Project to prepare for the public release disclosure of vulnerabilities.
This article is based on a document formerly found on our main website gentoo.org.
The following people contributed to the original document: Robert Buchholz, Alex Legler
They are listed here as the Wiki history does not allow for any external attribution. If you edit the Wiki article, please do not add yourself here; your contributions are recorded on the history page.