os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

= Who are the Security Officer and Security Officer Team

Browse source 
= Information handling policies
This commit is contained in:
Jacques Vidrine 2002-07-02 15:39:38 +00:00
parent 214ccbdbaf
commit 22eb4a899a
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/www/; revision=13541
3 changed files with 504 additions and 72 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

192
en/security/advisories.xml
View file

@ -1,10 +1,10 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" [
<!ENTITY base CDATA "..">
<!ENTITY date "$FreeBSD: www/en/security/security.sgml,v 1.100 2002/06/27 11:43:33 nectar Exp $">
<!ENTITY date "$FreeBSD: www/en/security/security.sgml,v 1.101 2002/06/29 09:07:09 nik Exp $">
<!ENTITY title "FreeBSD Security Information">
<!ENTITY % includes SYSTEM "../includes.sgml"> %includes;
]>
<!-- $FreeBSD: www/en/security/security.sgml,v 1.100 2002/06/27 11:43:33 nectar Exp $ -->
<!-- $FreeBSD: www/en/security/security.sgml,v 1.101 2002/06/29 09:07:09 nik Exp $ -->
<html>
&header;
@ -25,7 +25,8 @@ introduce vulnerabilities.</P>
<H2>Table of Contents</H2>
<UL>
<LI><A HREF="#sec">Information about the FreeBSD Security Officer Team</A></LI>
<LI><A HREF="#sec">Information about the FreeBSD Security Officer</A></LI>
<LI><A HREF="#pol">Information handling policies</A></LI>
<LI><A HREF="#adv">FreeBSD Security Advisories</A></LI>
<LI><A HREF="#ml">FreeBSD Security Mailing Lists Information</A></LI>
<LI><A HREF="#tat">FreeBSD Security Tips and Tricks</A></LI>
@ -34,35 +35,178 @@ introduce vulnerabilities.</P>
</UL>
<A NAME=sec></A>
<H2>The FreeBSD Security Officer Team</H2>
<H2>The FreeBSD Security Officer and the Security Officer Team</H2>
<P>To better coordinate information exchange with others in the security
community, FreeBSD has a focal point for security related communications:
the FreeBSD <a href="mailto:security-officer@FreeBSD.org">Security Officer team</a>.
The position is staffed by a team of dedicated security officers,
whose main tasks are to send out advisories when there are known security
holes and to act on reports of possible security problems with FreeBSD.</P>
community, FreeBSD has a focal point for security-related communications:
the FreeBSD Security Officer.</P>
<P>If you need to contact someone from FreeBSD about a
possible security bug, you should therefore <A
HREF="mailto:security-officer@FreeBSD.org">send mail to the Security Officer team</A>
with a description of what you have found and the type of vulnerability it
represents. The Security Officer team also communicates with the various
<A HREF="http://www.cert.org">CERT </A>and <A
HREF="http://www.first.org/"> FIRST</A> teams around the world,
sharing information about possible vulnerabilities in FreeBSD or
utilities commonly used with FreeBSD. The Security Officers are also
active members of those organizations.</P>
<P>If you need to contact the FreeBSD Project about
a possible security issue, you should therefore <A
HREF="mailto:security-officer@FreeBSD.org">send mail to the Security
Officer</A> with a description of what you have found and the type of
vulnerability it represents.</P>
<P>If you do need to contact the Security Officer team about a particularly
sensitive matter, please use their <A
HREF="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/public_key.asc">PGP key
</A> to encrypt your message before sending it.</P>
<p>In order that the FreeBSD Project may respond to vulnerability
reports in a timely manner, there are four members of the Security
Officer mail alias: the Security Officer, the Deputy Security Officer,
and two Core Team liaisons. Therefore, messages sent to the
<a
href="mailto:security-officer@FreeBSD.org">&lt;security-officer@FreeBSD.org&gt;</a>
mail alias are currently delivered to:</p>
<table>
<tr valign="top">
<td>Jacques Vidrine <a
href="mailto:nectar@FreeBSD.org">&lt;nectar@FreeBSD.org&gt;</a></td>
<td>Security Officer</td>
</tr>
<tr valign="top">
<td>Chris Faulhaber <a
href="mailto:jedgar@FreeBSD.org">&lt;jedgar@FreeBSD.org&gt;</a></td>
<td>Deputy Security Officer</td>
</tr>
<tr valign="top">
<td>Robert Watson <a
href="mailto:rwatson@FreeBSD.org">&lt;rwatson@FreeBSD.org&gt;</a></td>
<td>FreeBSD Core Team member, Release Engineering liaison,<br>
TrustedBSD Project liaison, system security architecture expert</td>
</tr>
<tr valign="top">
<td>Warner Losh <a
href="mailto:imp@FreeBSD.org">&lt;imp@FreeBSD.org&gt;</a></td>
<td>FreeBSD Core Team liaison, Security Officer Emeritus</td>
</tr>
</table>
<p>The Security Officer is supported by the <a
href="mailto:security-team@FreeBSD.org">Security Officer Team
&lt;security-team@FreeBSD.org&gt;</a>, a
group of committers selected by the Security Officer. The current
make up of the team is as follows:</p>
<table>
<tr valign="top">
<td>Bill Fumerola <a
href="mailto:billf@FreeBSD.org">&lt;billf@FreeBSD.org&gt;</a></td>
<td>FreeBSD Infrastructure liaison</td>
</tr>
<tr valign="top">
<td>Daniel Harris <a
href="mailto:dannyboy@FreeBSD.org">&lt;dannyboy@FreeBSD.org&gt;</a></td>
<td></td>
</tr>
<tr valign="top">
<td>Trevor Johnson <a
href="mailto:trevor@FreeBSD.org">&lt;trevor@FreeBSD.org&gt;</a></td>
<td></td>
</tr>
<tr valign="top">
<td>Kris Kennaway <a
href="mailto:kris@freebsd.org">&lt;kris@FreeBSD.org&gt;</a></td>
<td>Port Manager liaison, Security Officer Emeritus</td>
</tr>
<tr valign="top">
<td>Wes Peters <a
href="mailto:wes@FreeBSD.org">&lt;wes@FreeBSD.org&gt;</a></td>
<td>Core Team liaison</td>
</tr>
<tr valign="top">
<td>Guido van Rooij <a
href="mailto:guido@FreeBSD.org">&lt;guido@FreeBSD.org&gt;</a></td>
<td>Security Officer Emeritus</td>
</tr>
<tr valign="top">
<td>Dag-Erling Smorgrav <a
href="mailto:des@FreeBSD.org">&lt;des@FreeBSD.org&gt;</a></td>
<td></td>
</tr>
</table>
<p>Please use the <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/public_key.asc">Security
Officer PGP key</a> to encrypt your messages to the Security Officer
when appropriate.</p>
<a NAME="pol"></a>
<h2>Information handling policies</h2>
<p>As a general policy, the FreeBSD Security Officer favors full
disclosure of vulnerability information after a reasonable delay to
permit safe analysis and correction of a vulnerability, as well as
appropriate testing of the correction, and appropriate coordination
with other affected parties.</p>
<p>The Security Officer <em>will</em> notify one or more of the
<a href="mailto:admins@FreeBSD.org">FreeBSD Cluster Admins</a> of
vulnerabilities that put the FreeBSD Project's resources under
immediate danger.</p>
<p>The Security Officer may bring additional FreeBSD developers
or outside developers into discussion of a submitted security
vulnerability if their expertise is required to fully understand or
correct the problem. Appropriate discretion will be exercised to
minimize unnecessary distribution of information about the submitted
vulnerability, and any experts brought in will act in accordance of
Security Officer policies. In the past, experts have been brought
in based on extensive experience with highly complex components of
the operating system, including FFS, the VM system, and the network
stack.</p>
<p>If a FreeBSD release process is underway, the FreeBSD Release
Engineer may also be notified that a vulnerability exists, and its
severity, so that informed decisions may be made regarding the release
cycle and any serious security bugs present in software associated
with an up-coming release. If requested, the Security Officer will
not share information regarding the nature of the vulnerability with
the Release Engineer, limiting information flow to existence and
severity.</p>
<p>The FreeBSD Security Officer has close working relationships
with a number of other organizations, including third-party vendors
that share code with FreeBSD (the OpenBSD and NetBSD projects,
Apple, and other vendors deriving software from FreeBSD, as well
as the Linux vendor security list), as well as organizations
that track vulnerabilities and security incidents, such as CERT.
Frequently vulnerabilities may extend beyond the scope of the
FreeBSD implementation, and (perhaps less frequently) may have
broad implications for the global networking community. Under such
circumstances, the Security Officer may wish to disclose vulnerability
information to these other organizations: if you do not wish the
Security Officer to do this, please indicate so explicitly in any
submissions.</p>
<p>Submitters should be careful to explicitly document any special
information handling requirements.</p>
<p>If the submitter of a vulnerability is interested in a coordinated
disclosure process with the submitter and/or other vendors, this
should be indicated explicitly in any submissions. In the absence
of explicit requests, the FreeBSD Security Officer will select a
disclosure schedule that reflects both a desire for timely disclosure
and appropriate testing of any solutions. Submitters should be aware
that if the vulnerability is being actively discussed in public forums
(such as bugtraq), and actively exploited, the Security Officer may
choose not to follow a proposed disclosure timeline in order to
provide maximum protection for the user community.</p>
<p>Submitters should be aware that the FreeBSD Project is an open
source project, and source revision control information for every
change made to the FreeBSD source tree is publically accessible. If a
disclosure schedule is provided, it should take into account both the
official release of advisory, patch, and update information, as well
as initial inclusion of fixes in the FreeBSD source tree. There is
necessarily a lag between the inclusion of fixes in the tree and the
generation and releases of advisories, patches, and binary updates, as
the source control system is used to generate them.</p>
<p>Submissions may be protected using PGP. If desired, responses will
also be protected using PGP.</p>
<A NAME=adv></A>
<H2>FreeBSD Security Advisories</H2>
<P>The FreeBSD Security Officer Team provides security advisories for the
<P>The FreeBSD Security Officer provides security advisories for the
following releases of FreeBSD:</P>
<UL>

192
en/security/security.sgml
View file

@ -1,10 +1,10 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" [
<!ENTITY base CDATA "..">
<!ENTITY date "$FreeBSD: www/en/security/security.sgml,v 1.100 2002/06/27 11:43:33 nectar Exp $">
<!ENTITY date "$FreeBSD: www/en/security/security.sgml,v 1.101 2002/06/29 09:07:09 nik Exp $">
<!ENTITY title "FreeBSD Security Information">
<!ENTITY % includes SYSTEM "../includes.sgml"> %includes;
]>
<!-- $FreeBSD: www/en/security/security.sgml,v 1.100 2002/06/27 11:43:33 nectar Exp $ -->
<!-- $FreeBSD: www/en/security/security.sgml,v 1.101 2002/06/29 09:07:09 nik Exp $ -->
<html>
&header;
@ -25,7 +25,8 @@ introduce vulnerabilities.</P>
<H2>Table of Contents</H2>
<UL>
<LI><A HREF="#sec">Information about the FreeBSD Security Officer Team</A></LI>
<LI><A HREF="#sec">Information about the FreeBSD Security Officer</A></LI>
<LI><A HREF="#pol">Information handling policies</A></LI>
<LI><A HREF="#adv">FreeBSD Security Advisories</A></LI>
<LI><A HREF="#ml">FreeBSD Security Mailing Lists Information</A></LI>
<LI><A HREF="#tat">FreeBSD Security Tips and Tricks</A></LI>
@ -34,35 +35,178 @@ introduce vulnerabilities.</P>
</UL>
<A NAME=sec></A>
<H2>The FreeBSD Security Officer Team</H2>
<H2>The FreeBSD Security Officer and the Security Officer Team</H2>
<P>To better coordinate information exchange with others in the security
community, FreeBSD has a focal point for security related communications:
the FreeBSD <a href="mailto:security-officer@FreeBSD.org">Security Officer team</a>.
The position is staffed by a team of dedicated security officers,
whose main tasks are to send out advisories when there are known security
holes and to act on reports of possible security problems with FreeBSD.</P>
community, FreeBSD has a focal point for security-related communications:
the FreeBSD Security Officer.</P>
<P>If you need to contact someone from FreeBSD about a
possible security bug, you should therefore <A
HREF="mailto:security-officer@FreeBSD.org">send mail to the Security Officer team</A>
with a description of what you have found and the type of vulnerability it
represents. The Security Officer team also communicates with the various
<A HREF="http://www.cert.org">CERT </A>and <A
HREF="http://www.first.org/"> FIRST</A> teams around the world,
sharing information about possible vulnerabilities in FreeBSD or
utilities commonly used with FreeBSD. The Security Officers are also
active members of those organizations.</P>
<P>If you need to contact the FreeBSD Project about
a possible security issue, you should therefore <A
HREF="mailto:security-officer@FreeBSD.org">send mail to the Security
Officer</A> with a description of what you have found and the type of
vulnerability it represents.</P>
<P>If you do need to contact the Security Officer team about a particularly
sensitive matter, please use their <A
HREF="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/public_key.asc">PGP key
</A> to encrypt your message before sending it.</P>
<p>In order that the FreeBSD Project may respond to vulnerability
reports in a timely manner, there are four members of the Security
Officer mail alias: the Security Officer, the Deputy Security Officer,
and two Core Team liaisons. Therefore, messages sent to the
<a
href="mailto:security-officer@FreeBSD.org">&lt;security-officer@FreeBSD.org&gt;</a>
mail alias are currently delivered to:</p>
<table>
<tr valign="top">
<td>Jacques Vidrine <a
href="mailto:nectar@FreeBSD.org">&lt;nectar@FreeBSD.org&gt;</a></td>
<td>Security Officer</td>
</tr>
<tr valign="top">
<td>Chris Faulhaber <a
href="mailto:jedgar@FreeBSD.org">&lt;jedgar@FreeBSD.org&gt;</a></td>
<td>Deputy Security Officer</td>
</tr>
<tr valign="top">
<td>Robert Watson <a
href="mailto:rwatson@FreeBSD.org">&lt;rwatson@FreeBSD.org&gt;</a></td>
<td>FreeBSD Core Team member, Release Engineering liaison,<br>
TrustedBSD Project liaison, system security architecture expert</td>
</tr>
<tr valign="top">
<td>Warner Losh <a
href="mailto:imp@FreeBSD.org">&lt;imp@FreeBSD.org&gt;</a></td>
<td>FreeBSD Core Team liaison, Security Officer Emeritus</td>
</tr>
</table>
<p>The Security Officer is supported by the <a
href="mailto:security-team@FreeBSD.org">Security Officer Team
&lt;security-team@FreeBSD.org&gt;</a>, a
group of committers selected by the Security Officer. The current
make up of the team is as follows:</p>
<table>
<tr valign="top">
<td>Bill Fumerola <a
href="mailto:billf@FreeBSD.org">&lt;billf@FreeBSD.org&gt;</a></td>
<td>FreeBSD Infrastructure liaison</td>
</tr>
<tr valign="top">
<td>Daniel Harris <a
href="mailto:dannyboy@FreeBSD.org">&lt;dannyboy@FreeBSD.org&gt;</a></td>
<td></td>
</tr>
<tr valign="top">
<td>Trevor Johnson <a
href="mailto:trevor@FreeBSD.org">&lt;trevor@FreeBSD.org&gt;</a></td>
<td></td>
</tr>
<tr valign="top">
<td>Kris Kennaway <a
href="mailto:kris@freebsd.org">&lt;kris@FreeBSD.org&gt;</a></td>
<td>Port Manager liaison, Security Officer Emeritus</td>
</tr>
<tr valign="top">
<td>Wes Peters <a
href="mailto:wes@FreeBSD.org">&lt;wes@FreeBSD.org&gt;</a></td>
<td>Core Team liaison</td>
</tr>
<tr valign="top">
<td>Guido van Rooij <a
href="mailto:guido@FreeBSD.org">&lt;guido@FreeBSD.org&gt;</a></td>
<td>Security Officer Emeritus</td>
</tr>
<tr valign="top">
<td>Dag-Erling Smorgrav <a
href="mailto:des@FreeBSD.org">&lt;des@FreeBSD.org&gt;</a></td>
<td></td>
</tr>
</table>
<p>Please use the <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/public_key.asc">Security
Officer PGP key</a> to encrypt your messages to the Security Officer
when appropriate.</p>
<a NAME="pol"></a>
<h2>Information handling policies</h2>
<p>As a general policy, the FreeBSD Security Officer favors full
disclosure of vulnerability information after a reasonable delay to
permit safe analysis and correction of a vulnerability, as well as
appropriate testing of the correction, and appropriate coordination
with other affected parties.</p>
<p>The Security Officer <em>will</em> notify one or more of the
<a href="mailto:admins@FreeBSD.org">FreeBSD Cluster Admins</a> of
vulnerabilities that put the FreeBSD Project's resources under
immediate danger.</p>
<p>The Security Officer may bring additional FreeBSD developers
or outside developers into discussion of a submitted security
vulnerability if their expertise is required to fully understand or
correct the problem. Appropriate discretion will be exercised to
minimize unnecessary distribution of information about the submitted
vulnerability, and any experts brought in will act in accordance of
Security Officer policies. In the past, experts have been brought
in based on extensive experience with highly complex components of
the operating system, including FFS, the VM system, and the network
stack.</p>
<p>If a FreeBSD release process is underway, the FreeBSD Release
Engineer may also be notified that a vulnerability exists, and its
severity, so that informed decisions may be made regarding the release
cycle and any serious security bugs present in software associated
with an up-coming release. If requested, the Security Officer will
not share information regarding the nature of the vulnerability with
the Release Engineer, limiting information flow to existence and
severity.</p>
<p>The FreeBSD Security Officer has close working relationships
with a number of other organizations, including third-party vendors
that share code with FreeBSD (the OpenBSD and NetBSD projects,
Apple, and other vendors deriving software from FreeBSD, as well
as the Linux vendor security list), as well as organizations
that track vulnerabilities and security incidents, such as CERT.
Frequently vulnerabilities may extend beyond the scope of the
FreeBSD implementation, and (perhaps less frequently) may have
broad implications for the global networking community. Under such
circumstances, the Security Officer may wish to disclose vulnerability
information to these other organizations: if you do not wish the
Security Officer to do this, please indicate so explicitly in any
submissions.</p>
<p>Submitters should be careful to explicitly document any special
information handling requirements.</p>
<p>If the submitter of a vulnerability is interested in a coordinated
disclosure process with the submitter and/or other vendors, this
should be indicated explicitly in any submissions. In the absence
of explicit requests, the FreeBSD Security Officer will select a
disclosure schedule that reflects both a desire for timely disclosure
and appropriate testing of any solutions. Submitters should be aware
that if the vulnerability is being actively discussed in public forums
(such as bugtraq), and actively exploited, the Security Officer may
choose not to follow a proposed disclosure timeline in order to
provide maximum protection for the user community.</p>
<p>Submitters should be aware that the FreeBSD Project is an open
source project, and source revision control information for every
change made to the FreeBSD source tree is publically accessible. If a
disclosure schedule is provided, it should take into account both the
official release of advisory, patch, and update information, as well
as initial inclusion of fixes in the FreeBSD source tree. There is
necessarily a lag between the inclusion of fixes in the tree and the
generation and releases of advisories, patches, and binary updates, as
the source control system is used to generate them.</p>
<p>Submissions may be protected using PGP. If desired, responses will
also be protected using PGP.</p>
<A NAME=adv></A>
<H2>FreeBSD Security Advisories</H2>
<P>The FreeBSD Security Officer Team provides security advisories for the
<P>The FreeBSD Security Officer provides security advisories for the
following releases of FreeBSD:</P>
<UL>

192
share/sgml/advisories.xml
View file

@ -1,10 +1,10 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" [
<!ENTITY base CDATA "..">
<!ENTITY date "$FreeBSD: www/en/security/security.sgml,v 1.100 2002/06/27 11:43:33 nectar Exp $">
<!ENTITY date "$FreeBSD: www/en/security/security.sgml,v 1.101 2002/06/29 09:07:09 nik Exp $">
<!ENTITY title "FreeBSD Security Information">
<!ENTITY % includes SYSTEM "../includes.sgml"> %includes;
]>
<!-- $FreeBSD: www/en/security/security.sgml,v 1.100 2002/06/27 11:43:33 nectar Exp $ -->
<!-- $FreeBSD: www/en/security/security.sgml,v 1.101 2002/06/29 09:07:09 nik Exp $ -->
<html>
&header;
@ -25,7 +25,8 @@ introduce vulnerabilities.</P>
<H2>Table of Contents</H2>
<UL>
<LI><A HREF="#sec">Information about the FreeBSD Security Officer Team</A></LI>
<LI><A HREF="#sec">Information about the FreeBSD Security Officer</A></LI>
<LI><A HREF="#pol">Information handling policies</A></LI>
<LI><A HREF="#adv">FreeBSD Security Advisories</A></LI>
<LI><A HREF="#ml">FreeBSD Security Mailing Lists Information</A></LI>
<LI><A HREF="#tat">FreeBSD Security Tips and Tricks</A></LI>
@ -34,35 +35,178 @@ introduce vulnerabilities.</P>
</UL>
<A NAME=sec></A>
<H2>The FreeBSD Security Officer Team</H2>
<H2>The FreeBSD Security Officer and the Security Officer Team</H2>
<P>To better coordinate information exchange with others in the security
community, FreeBSD has a focal point for security related communications:
the FreeBSD <a href="mailto:security-officer@FreeBSD.org">Security Officer team</a>.
The position is staffed by a team of dedicated security officers,
whose main tasks are to send out advisories when there are known security
holes and to act on reports of possible security problems with FreeBSD.</P>
community, FreeBSD has a focal point for security-related communications:
the FreeBSD Security Officer.</P>
<P>If you need to contact someone from FreeBSD about a
possible security bug, you should therefore <A
HREF="mailto:security-officer@FreeBSD.org">send mail to the Security Officer team</A>
with a description of what you have found and the type of vulnerability it
represents. The Security Officer team also communicates with the various
<A HREF="http://www.cert.org">CERT </A>and <A
HREF="http://www.first.org/"> FIRST</A> teams around the world,
sharing information about possible vulnerabilities in FreeBSD or
utilities commonly used with FreeBSD. The Security Officers are also
active members of those organizations.</P>
<P>If you need to contact the FreeBSD Project about
a possible security issue, you should therefore <A
HREF="mailto:security-officer@FreeBSD.org">send mail to the Security
Officer</A> with a description of what you have found and the type of
vulnerability it represents.</P>
<P>If you do need to contact the Security Officer team about a particularly
sensitive matter, please use their <A
HREF="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/public_key.asc">PGP key
</A> to encrypt your message before sending it.</P>
<p>In order that the FreeBSD Project may respond to vulnerability
reports in a timely manner, there are four members of the Security
Officer mail alias: the Security Officer, the Deputy Security Officer,
and two Core Team liaisons. Therefore, messages sent to the
<a
href="mailto:security-officer@FreeBSD.org">&lt;security-officer@FreeBSD.org&gt;</a>
mail alias are currently delivered to:</p>
<table>
<tr valign="top">
<td>Jacques Vidrine <a
href="mailto:nectar@FreeBSD.org">&lt;nectar@FreeBSD.org&gt;</a></td>
<td>Security Officer</td>
</tr>
<tr valign="top">
<td>Chris Faulhaber <a
href="mailto:jedgar@FreeBSD.org">&lt;jedgar@FreeBSD.org&gt;</a></td>
<td>Deputy Security Officer</td>
</tr>
<tr valign="top">
<td>Robert Watson <a
href="mailto:rwatson@FreeBSD.org">&lt;rwatson@FreeBSD.org&gt;</a></td>
<td>FreeBSD Core Team member, Release Engineering liaison,<br>
TrustedBSD Project liaison, system security architecture expert</td>
</tr>
<tr valign="top">
<td>Warner Losh <a
href="mailto:imp@FreeBSD.org">&lt;imp@FreeBSD.org&gt;</a></td>
<td>FreeBSD Core Team liaison, Security Officer Emeritus</td>
</tr>
</table>
<p>The Security Officer is supported by the <a
href="mailto:security-team@FreeBSD.org">Security Officer Team
&lt;security-team@FreeBSD.org&gt;</a>, a
group of committers selected by the Security Officer. The current
make up of the team is as follows:</p>
<table>
<tr valign="top">
<td>Bill Fumerola <a
href="mailto:billf@FreeBSD.org">&lt;billf@FreeBSD.org&gt;</a></td>
<td>FreeBSD Infrastructure liaison</td>
</tr>
<tr valign="top">
<td>Daniel Harris <a
href="mailto:dannyboy@FreeBSD.org">&lt;dannyboy@FreeBSD.org&gt;</a></td>
<td></td>
</tr>
<tr valign="top">
<td>Trevor Johnson <a
href="mailto:trevor@FreeBSD.org">&lt;trevor@FreeBSD.org&gt;</a></td>
<td></td>
</tr>
<tr valign="top">
<td>Kris Kennaway <a
href="mailto:kris@freebsd.org">&lt;kris@FreeBSD.org&gt;</a></td>
<td>Port Manager liaison, Security Officer Emeritus</td>
</tr>
<tr valign="top">
<td>Wes Peters <a
href="mailto:wes@FreeBSD.org">&lt;wes@FreeBSD.org&gt;</a></td>
<td>Core Team liaison</td>
</tr>
<tr valign="top">
<td>Guido van Rooij <a
href="mailto:guido@FreeBSD.org">&lt;guido@FreeBSD.org&gt;</a></td>
<td>Security Officer Emeritus</td>
</tr>
<tr valign="top">
<td>Dag-Erling Smorgrav <a
href="mailto:des@FreeBSD.org">&lt;des@FreeBSD.org&gt;</a></td>
<td></td>
</tr>
</table>
<p>Please use the <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/public_key.asc">Security
Officer PGP key</a> to encrypt your messages to the Security Officer
when appropriate.</p>
<a NAME="pol"></a>
<h2>Information handling policies</h2>
<p>As a general policy, the FreeBSD Security Officer favors full
disclosure of vulnerability information after a reasonable delay to
permit safe analysis and correction of a vulnerability, as well as
appropriate testing of the correction, and appropriate coordination
with other affected parties.</p>
<p>The Security Officer <em>will</em> notify one or more of the
<a href="mailto:admins@FreeBSD.org">FreeBSD Cluster Admins</a> of
vulnerabilities that put the FreeBSD Project's resources under
immediate danger.</p>
<p>The Security Officer may bring additional FreeBSD developers
or outside developers into discussion of a submitted security
vulnerability if their expertise is required to fully understand or
correct the problem. Appropriate discretion will be exercised to
minimize unnecessary distribution of information about the submitted
vulnerability, and any experts brought in will act in accordance of
Security Officer policies. In the past, experts have been brought
in based on extensive experience with highly complex components of
the operating system, including FFS, the VM system, and the network
stack.</p>
<p>If a FreeBSD release process is underway, the FreeBSD Release
Engineer may also be notified that a vulnerability exists, and its
severity, so that informed decisions may be made regarding the release
cycle and any serious security bugs present in software associated
with an up-coming release. If requested, the Security Officer will
not share information regarding the nature of the vulnerability with
the Release Engineer, limiting information flow to existence and
severity.</p>
<p>The FreeBSD Security Officer has close working relationships
with a number of other organizations, including third-party vendors
that share code with FreeBSD (the OpenBSD and NetBSD projects,
Apple, and other vendors deriving software from FreeBSD, as well
as the Linux vendor security list), as well as organizations
that track vulnerabilities and security incidents, such as CERT.
Frequently vulnerabilities may extend beyond the scope of the
FreeBSD implementation, and (perhaps less frequently) may have
broad implications for the global networking community. Under such
circumstances, the Security Officer may wish to disclose vulnerability
information to these other organizations: if you do not wish the
Security Officer to do this, please indicate so explicitly in any
submissions.</p>
<p>Submitters should be careful to explicitly document any special
information handling requirements.</p>
<p>If the submitter of a vulnerability is interested in a coordinated
disclosure process with the submitter and/or other vendors, this
should be indicated explicitly in any submissions. In the absence
of explicit requests, the FreeBSD Security Officer will select a
disclosure schedule that reflects both a desire for timely disclosure
and appropriate testing of any solutions. Submitters should be aware
that if the vulnerability is being actively discussed in public forums
(such as bugtraq), and actively exploited, the Security Officer may
choose not to follow a proposed disclosure timeline in order to
provide maximum protection for the user community.</p>
<p>Submitters should be aware that the FreeBSD Project is an open
source project, and source revision control information for every
change made to the FreeBSD source tree is publically accessible. If a
disclosure schedule is provided, it should take into account both the
official release of advisory, patch, and update information, as well
as initial inclusion of fixes in the FreeBSD source tree. There is
necessarily a lag between the inclusion of fixes in the tree and the
generation and releases of advisories, patches, and binary updates, as
the source control system is used to generate them.</p>
<p>Submissions may be protected using PGP. If desired, responses will
also be protected using PGP.</p>
<A NAME=adv></A>
<H2>FreeBSD Security Advisories</H2>
<P>The FreeBSD Security Officer Team provides security advisories for the
<P>The FreeBSD Security Officer provides security advisories for the
following releases of FreeBSD:</P>
<UL>