Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20220517125233.q2xhgdov2l7bpuvb@yuggoth.org>
Date: Tue, 17 May 2022 12:52:34 +0000
From: Jeremy Stanley <fungi@...goth.org>
To: oss-security@...ts.openwall.com
Subject: Re: linux-distros list policy and Linux kernel

Another potential nail in the coffin for embargoed disclosure lists
such as linux-distros and distros, as well as the idea of embargoed
disclosure in general, is recent changes in export controls, most
recently by the USA's Commerce Dept. While there seem to be
exceptions called out for "cybersecurity response" and
"vulnerability disclosure" in 86-FR-58205 (Information Security
Controls: Cybersecurity Items), I've been in a number of semi-hushed
conversations with vulnerability managers of other large free/libre
open source projects over worries that the provisions for this are
still too vague.

In particular, I've heard concerns raised by developers living in
the USA that privately supplying vulnerability fix patches or
information on exploiting privately identified vulnerabilities to
individuals in "restricted" countries could be a contravention of
federal export control policy, and that determining whether every
individual in receipt of this information is not a resident of a
"restricted" country is unfeasible enough to make a switch to
full-disclosure models increasingly attractive for these projects.

Unfortunately, the regulations are also new enough that getting a
clear risk assessment on these matters from legal counsel available
to community-run projects and non-profit foundations is...
challenging. Further, I've had some vulnerability manager colleagues
instructed by their employers to cease participation in any embargo
processes for related "corporate liability" reasons.
-- 
Jeremy Stanley

Download attachment "signature.asc" of type "application/pgp-signature" (964 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.