A few of us on vendor-sec have decided to pull some cross-vendor resources and we’ve put together a new informal organization, similar to vendor-sec, but for a more “general public”. It’s primarily a wiki of various security-related information and a mailing list for OSS vendors and authors to be able to discuss public security issues. The concept is moderately similar to full-disclosure or bugtraq, but is aimed particularly at OSS vendors and authors. Because of the sensitivity of some issues on vendor-sec (pre-disclosure issues, etc.) having a large number of people on vendor-sec isn’t really viable, so oss-security aims to fill that gap by allowing those interested in security (and not necessarily members of vendor security teams) to discuss public issues, coordinate audits, or whatever. The aim is to have a stronger OSS security community and to allow people with interest and expertise to get involved, without having to adhere to the strict “code” associated with vendor-sec.
Many thanks to the Openwall Project for offering to provide the infrastructure to host this thing. The wiki is up at oss-security.openwall.org and while it’s still rather small at the moment, the hope is that various vendors and authors will get on board and provide the information we’re looking for. Particularly, the wiki is a place where people who have found a security issue in something or are want to figure out where, for example, Mandriva or SUSE advisories get posted, can easily do so. It’s mostly a dictionary of links right now, although I believe the goal is to have some “best practices” type information and other pertinent info to help vendors and such.
Should be interesting stuff. =)