This document details the groups that the Gentoo Linux Security Team is a part of or working with in order to coordinate vulnerabilities.
What and why
The Gentoo Linux Security Team is dedicated to an open development process and supports responsible disclosure. This means we closely collaborate with software upstreams, other distributions, security researchers and CERTs to ensure the security of our distribution.
Our group affiliations allow us to access vulnerability information and receive notifications as early as possible. As participants in a coordinated release process, we are able to assess vulnerabilities before they publicly known. We work with Gentoo developers, upstream and other distributions to prepare updates that reach Gentoo users as soon as the vulnerability is public. We commit ourselves to publish all our own findings, but we respect if third parties decide to keep certain information private.
Members and contributors of the Security team should review this list before attempting to become part of a mailing list. Any such requests are to be discussed internally and acknowledged by a team lead first.
Gentoo is part of the distros and linux-distros mailing list. The mailing list discusses vulnerabilities in several free software products and is often used for coordinated disclosure.
Gentoo is a listed vendor with the CERT Coordination Center (CERT/CC) . We receive general vulnerability notifications through the most widely known CERT.
Gentoo is a member of the oss-security mailing list since it was founded in 2008. It is a public discussion channel targeted towards security flaws in free software.
Gentoo is committed to the Common Vulnerabilities and Exposures project that seeks to enumerate information vulnerabilities. We automatically monitor the CVE feed for vulnerabilities and are seeking for our GLSAs and Bugzilla channels to output CVE identifiers. We are seeking CVE-Compatible status in the near future.
Pre-Release Disclosure of Vulnerabilities to Developers
As part of this pre-disclosure the security team maintains a Pre-Release Disclosure of Vulnerability Information Agreement, and has a list of developers that have acknowledge the agreement. The Gentoo Security team will involve these developers on a need to know basis on behalf of the Gentoo Project to prepare for the public release disclosure of vulnerabilities.
This page is based on a document formerly found on our main website gentoo.org.
The following people contributed to the original document: Robert Buchholz, Alex Legler (a3li)
They are listed here because wiki history does not allow for any external attribution. If you edit the wiki article, please do not add yourself here; your contributions are recorded on each article's associated history page.