?To report a security problem in a component, it seems like a simple enough task to look up the component in MAINTAINERS and send the report to the maintainer of that component.?

As detailed in the referenced Bugtraq post (see the article), e-mail messages to individual contributors (Linus and Andrew) didn't even result in a *response* to the security researcher who reported the issue. This is unacceptable.

Additionally, this list doesn't appear exhaustive, and nor is it at all straightforward. For example. If I find a vulnerability in the page fault handler (a vulnerability in this section of the Linux kernel was recently released), who am I supposed to contact? I see no reference to anything with the word ?memory? (as in virtual memory) in it aside from ?MEMORY TECHNOLOGY DEVICES?, and nothing at all for ?virtual?. Aside from being cumbersome, this doesn't appear to work as you intend it to even at present.

FreeBSD and NetBSD (the two operating systems that I'm most familiar with) both have a dedicated security team. I don't see why the Linux kernel shouldn't have something similar. Sure, we're just talking about a kernel and not an entire operating system, but the Linux kernel is *everywhere*.

I don't think that having the individual maintainers responsible for handling security advisories, patching, correspondence, etc. makes sense. It doesn't appear scalable, or reliable.

A simple secure@ e-mail address and Linux kernel security team seems the right choice for this particular part of my discussion.; it's worked for some of the BSD-based operating systems for quite some time.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/296/30358#30358