Vendor-sec

vendor-sec was an electronic mailing list dedicated to distributors of operating systems using (but not necessarily solely) free and open-source software. The list was used to discuss potential distribution element (kernel, libraries, applications) security vulnerabilities, as well as to co-ordinate the release of security updates by members.

As of March 2011, after a security compromise, vendor-sec is no longer in use. Possible alternatives to it are being considered. The following text describes what vendor-sec was prior to March 2011 (it will need to be edited or/and reused to apply to a possible vendor-sec replacement if one appears):

Current members of the list include representatives from various Linux distributions, as well as a number of BSD distributions. The list does not make a distinction between commercial and non-commercial vendors.

The mailing list is unmoderated, but requests for membership are manually vetted to ensure that only the target audience may join. This is done to avoid leaking the potentially sensitive discussions, as vendor-sec members often have access to information about vulnerabilities before they become public. Vendor-sec practices Responsible disclosure.

As part of the conditions of use, information discovered through vendor-sec may not be disclosed ahead of time by vendors. The balance between the time it takes to analyse an issue versus the required confidentiality has been described as "delicate" and can cause frustration ("Going to vendor-sec ... creates inexcusable delays, you to confidentiality.").