Re: [securityteam] OpenOffice Security Vulnerability Reporting

[Matthias Huetsch <ma...@oracle.com>]

Hi Rob, all,

On 07.07.11 15:48, Rob Weir wrote:
> Bringing the threads together on the public list so we can (hopefully)
> quickly discuss.
>
> As I understand it now, the OpenOffice.org currently directs visitors
> to report vulnerability reports to securityteam@openoffice.org. This
> address is currently being monitored.

Yes.

> And at Apache we ask vulnerabilities to be reported to
> security@apache.org, after which they are forwarded to the particular
> project's private email list where such matters can be analyzed in
> confidence, avoiding premature disclosure.

Okay, understood.

> Since the OpenOffice project is in the process of migrating to Apache,
> a process which will take several months, it is important that
> relevant information be shared, rapidly, confidentially and reliably.

Indeed.

> I'd like to propose something simple, namely that relevant information
> received by Apache should be quickly forwarded to
> securityteam@openoffice.org, and that relevant information received by
> securityteam@openoffice.org should be quickly forwarded to
> security@apache.org.

Okay, sounds reasonable to me.

> Also, if securityteam@openoffice.org has a list of other security
> contacts with whom they routinely share pre-public disclosure security
> information, we'd appreciate having that list, sent to our private
> list: ooo-private@incubator.apache.org.

Well, as I said previously, all upstream projects, or distributions are 
(supposed to be) subscribed to securityteam@openoffice.org, so there was 
no need for yet another private list (securityteam@ is already private).

> Regards,
>
> -Rob

Hope that helps,
Matthias Huetsch
Oracle Office Security Lead, OpenOffice.org Security Team