= Who are the Security Officer and Security Officer Team

= Information handling policies

en/security/advisories.xml

@@ -1,10 +1,10 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" [
 <!ENTITY base CDATA "..">
-<!ENTITY date "$FreeBSD: www/en/security/security.sgml,v 1.100 2002/06/27 11:43:33 nectar Exp $">
+<!ENTITY date "$FreeBSD: www/en/security/security.sgml,v 1.101 2002/06/29 09:07:09 nik Exp $">
 <!ENTITY title "FreeBSD Security Information">
 <!ENTITY % includes SYSTEM "../includes.sgml"> %includes;
 ]>
-<!-- $FreeBSD: www/en/security/security.sgml,v 1.100 2002/06/27 11:43:33 nectar Exp $ -->
+<!-- $FreeBSD: www/en/security/security.sgml,v 1.101 2002/06/29 09:07:09 nik Exp $ -->
 
 <html>
     &header;
@@ -25,7 +25,8 @@ introduce vulnerabilities.</P>
 
 <H2>Table of Contents</H2>
 <UL>
-<LI><A HREF="#sec">Information about the FreeBSD Security Officer Team</A></LI>
+<LI><A HREF="#sec">Information about the FreeBSD Security Officer</A></LI>
+<LI><A HREF="#pol">Information handling policies</A></LI>
 <LI><A HREF="#adv">FreeBSD Security Advisories</A></LI>
 <LI><A HREF="#ml">FreeBSD Security Mailing Lists Information</A></LI>
 <LI><A HREF="#tat">FreeBSD Security Tips and Tricks</A></LI>
@@ -34,35 +35,178 @@ introduce vulnerabilities.</P>
 </UL>
 
 <A NAME=sec></A>
-<H2>The FreeBSD Security Officer Team</H2>
+<H2>The FreeBSD Security Officer and the Security Officer Team</H2>
 
 <P>To better coordinate information exchange with others in the security
-community, FreeBSD has a focal point for security related communications:
+community, FreeBSD has a focal point for security-related communications:
-the FreeBSD <a href="mailto:security-officer@FreeBSD.org">Security Officer team</a>.
+the FreeBSD Security Officer.</P>
-The position is staffed by a team of dedicated security officers,
-whose main tasks are to send out advisories when there are known security
-holes and to act on reports of possible security problems with FreeBSD.</P>
 
-<P>If you need to contact someone from FreeBSD about a
+<P>If you need to contact the FreeBSD Project about
-possible security bug, you should therefore <A
+a possible security issue, you should therefore <A
-HREF="mailto:security-officer@FreeBSD.org">send mail to the Security Officer team</A>
+HREF="mailto:security-officer@FreeBSD.org">send mail to the Security
-with a description of what you have found and the type of vulnerability it
+Officer</A> with a description of what you have found and the type of
-represents.  The Security Officer team also communicates with the various
+vulnerability it represents.</P>
-<A HREF="http://www.cert.org">CERT </A>and <A
-HREF="http://www.first.org/"> FIRST</A> teams around the world,
-sharing information about possible vulnerabilities in FreeBSD or
-utilities commonly used with FreeBSD.  The Security Officers are also
-active members of those organizations.</P>
 
-<P>If you do need to contact the Security Officer team about a particularly
+<p>In order that the FreeBSD Project may respond to vulnerability
-sensitive matter, please use their <A
+reports in a timely manner, there are four members of the Security
-HREF="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/public_key.asc">PGP key
+Officer mail alias: the Security Officer, the Deputy Security Officer,
-</A> to encrypt your message before sending it.</P>
+and two Core Team liaisons.  Therefore, messages sent to the
+<a
+href="mailto:security-officer@FreeBSD.org">&lt;security-officer@FreeBSD.org&gt;</a>
+mail alias are currently delivered to:</p>
+
+<table>
+<tr valign="top">
+  <td>Jacques Vidrine <a
+    href="mailto:nectar@FreeBSD.org">&lt;nectar@FreeBSD.org&gt;</a></td>
+  <td>Security Officer</td>
+</tr>
+<tr valign="top">
+  <td>Chris Faulhaber <a
+    href="mailto:jedgar@FreeBSD.org">&lt;jedgar@FreeBSD.org&gt;</a></td>
+  <td>Deputy Security Officer</td>
+</tr>
+<tr valign="top">
+  <td>Robert Watson <a
+    href="mailto:rwatson@FreeBSD.org">&lt;rwatson@FreeBSD.org&gt;</a></td>
+  <td>FreeBSD Core Team member, Release Engineering liaison,<br>
+      TrustedBSD Project liaison, system security architecture expert</td>
+</tr>
+<tr valign="top">
+  <td>Warner Losh <a
+    href="mailto:imp@FreeBSD.org">&lt;imp@FreeBSD.org&gt;</a></td>
+  <td>FreeBSD Core Team liaison, Security Officer Emeritus</td>
+</tr>
+</table>
+
+<p>The Security Officer is supported by the <a
+href="mailto:security-team@FreeBSD.org">Security Officer Team
+&lt;security-team@FreeBSD.org&gt;</a>, a
+group of committers selected by the Security Officer.  The current
+make up of the team is as follows:</p>
+
+<table> 
+<tr valign="top">
+  <td>Bill Fumerola <a
+    href="mailto:billf@FreeBSD.org">&lt;billf@FreeBSD.org&gt;</a></td>
+  <td>FreeBSD Infrastructure liaison</td>
+</tr>
+<tr valign="top">
+  <td>Daniel Harris <a
+    href="mailto:dannyboy@FreeBSD.org">&lt;dannyboy@FreeBSD.org&gt;</a></td>
+  <td></td>
+</tr>
+<tr valign="top">
+  <td>Trevor Johnson <a
+    href="mailto:trevor@FreeBSD.org">&lt;trevor@FreeBSD.org&gt;</a></td>
+  <td></td>
+</tr>
+<tr valign="top">
+  <td>Kris Kennaway <a
+    href="mailto:kris@freebsd.org">&lt;kris@FreeBSD.org&gt;</a></td>
+  <td>Port Manager liaison, Security Officer Emeritus</td>
+</tr>
+<tr valign="top">
+  <td>Wes Peters <a
+    href="mailto:wes@FreeBSD.org">&lt;wes@FreeBSD.org&gt;</a></td>
+  <td>Core Team liaison</td>
+</tr>
+<tr valign="top">
+  <td>Guido van Rooij <a
+    href="mailto:guido@FreeBSD.org">&lt;guido@FreeBSD.org&gt;</a></td>
+  <td>Security Officer Emeritus</td>
+</tr>
+<tr valign="top">
+  <td>Dag-Erling Smorgrav <a
+    href="mailto:des@FreeBSD.org">&lt;des@FreeBSD.org&gt;</a></td>
+  <td></td>
+</tr>
+</table>
+
+<p>Please use the <a
+href="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/public_key.asc">Security
+Officer PGP key</a> to encrypt your messages to the Security Officer
+when appropriate.</p>
+
+<a NAME="pol"></a>
+<h2>Information handling policies</h2>
+
+<p>As a general policy, the FreeBSD Security Officer favors full
+disclosure of vulnerability information after a reasonable delay to
+permit safe analysis and correction of a vulnerability, as well as
+appropriate testing of the correction, and appropriate coordination
+with other affected parties.</p>
+
+<p>The Security Officer <em>will</em> notify one or more of the
+<a href="mailto:admins@FreeBSD.org">FreeBSD Cluster Admins</a> of
+vulnerabilities that put the FreeBSD Project's resources under
+immediate danger.</p>
+
+<p>The Security Officer may bring additional FreeBSD developers
+or outside developers into discussion of a submitted security
+vulnerability if their expertise is required to fully understand or
+correct the problem.  Appropriate discretion will be exercised to
+minimize unnecessary distribution of information about the submitted
+vulnerability, and any experts brought in will act in accordance of
+Security Officer policies.  In the past, experts have been brought
+in based on extensive experience with highly complex components of
+the operating system, including FFS, the VM system, and the network
+stack.</p>
+
+<p>If a FreeBSD release process is underway, the FreeBSD Release
+Engineer may also be notified that a vulnerability exists, and its
+severity, so that informed decisions may be made regarding the release
+cycle and any serious security bugs present in software associated
+with an up-coming release.  If requested, the Security Officer will
+not share information regarding the nature of the vulnerability with
+the Release Engineer, limiting information flow to existence and
+severity.</p>
+
+<p>The FreeBSD Security Officer has close working relationships
+with a number of other organizations, including third-party vendors
+that share code with FreeBSD (the OpenBSD and NetBSD projects,
+Apple, and other vendors deriving software from FreeBSD, as well
+as the Linux vendor security list), as well as organizations
+that track vulnerabilities and security incidents, such as CERT.
+Frequently vulnerabilities may extend beyond the scope of the
+FreeBSD implementation, and (perhaps less frequently) may have
+broad implications for the global networking community.  Under such
+circumstances, the Security Officer may wish to disclose vulnerability
+information to these other organizations: if you do not wish the
+Security Officer to do this, please indicate so explicitly in any
+submissions.</p>
+
+<p>Submitters should be careful to explicitly document any special
+information handling requirements.</p>
+
+<p>If the submitter of a vulnerability is interested in a coordinated
+disclosure process with the submitter and/or other vendors, this
+should be indicated explicitly in any submissions.  In the absence
+of explicit requests, the FreeBSD Security Officer will select a
+disclosure schedule that reflects both a desire for timely disclosure
+and appropriate testing of any solutions.  Submitters should be aware
+that if the vulnerability is being actively discussed in public forums
+(such as bugtraq), and actively exploited, the Security Officer may
+choose not to follow a proposed disclosure timeline in order to
+provide maximum protection for the user community.</p>
+
+<p>Submitters should be aware that the FreeBSD Project is an open
+source project, and source revision control information for every
+change made to the FreeBSD source tree is publically accessible.  If a
+disclosure schedule is provided, it should take into account both the
+official release of advisory, patch, and update information, as well
+as initial inclusion of fixes in the FreeBSD source tree.  There is
+necessarily a lag between the inclusion of fixes in the tree and the
+generation and releases of advisories, patches, and binary updates, as
+the source control system is used to generate them.</p>
+
+<p>Submissions may be protected using PGP.  If desired, responses will
+also be protected using PGP.</p>
 
 <A NAME=adv></A>
 <H2>FreeBSD Security Advisories</H2>
 
-<P>The FreeBSD Security Officer Team provides security advisories for the
+<P>The FreeBSD Security Officer provides security advisories for the
 following releases of FreeBSD:</P>
 
 <UL>

en/security/security.sgml

@@ -1,10 +1,10 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" [
 <!ENTITY base CDATA "..">
-<!ENTITY date "$FreeBSD: www/en/security/security.sgml,v 1.100 2002/06/27 11:43:33 nectar Exp $">
+<!ENTITY date "$FreeBSD: www/en/security/security.sgml,v 1.101 2002/06/29 09:07:09 nik Exp $">
 <!ENTITY title "FreeBSD Security Information">
 <!ENTITY % includes SYSTEM "../includes.sgml"> %includes;
 ]>
-<!-- $FreeBSD: www/en/security/security.sgml,v 1.100 2002/06/27 11:43:33 nectar Exp $ -->
+<!-- $FreeBSD: www/en/security/security.sgml,v 1.101 2002/06/29 09:07:09 nik Exp $ -->
 
 <html>
     &header;
@@ -25,7 +25,8 @@ introduce vulnerabilities.</P>
 
 <H2>Table of Contents</H2>
 <UL>
-<LI><A HREF="#sec">Information about the FreeBSD Security Officer Team</A></LI>
+<LI><A HREF="#sec">Information about the FreeBSD Security Officer</A></LI>
+<LI><A HREF="#pol">Information handling policies</A></LI>
 <LI><A HREF="#adv">FreeBSD Security Advisories</A></LI>
 <LI><A HREF="#ml">FreeBSD Security Mailing Lists Information</A></LI>
 <LI><A HREF="#tat">FreeBSD Security Tips and Tricks</A></LI>
@@ -34,35 +35,178 @@ introduce vulnerabilities.</P>
 </UL>
 
 <A NAME=sec></A>
-<H2>The FreeBSD Security Officer Team</H2>
+<H2>The FreeBSD Security Officer and the Security Officer Team</H2>
 
 <P>To better coordinate information exchange with others in the security
-community, FreeBSD has a focal point for security related communications:
+community, FreeBSD has a focal point for security-related communications:
-the FreeBSD <a href="mailto:security-officer@FreeBSD.org">Security Officer team</a>.
+the FreeBSD Security Officer.</P>
-The position is staffed by a team of dedicated security officers,
-whose main tasks are to send out advisories when there are known security
-holes and to act on reports of possible security problems with FreeBSD.</P>
 
-<P>If you need to contact someone from FreeBSD about a
+<P>If you need to contact the FreeBSD Project about
-possible security bug, you should therefore <A
+a possible security issue, you should therefore <A
-HREF="mailto:security-officer@FreeBSD.org">send mail to the Security Officer team</A>
+HREF="mailto:security-officer@FreeBSD.org">send mail to the Security
-with a description of what you have found and the type of vulnerability it
+Officer</A> with a description of what you have found and the type of
-represents.  The Security Officer team also communicates with the various
+vulnerability it represents.</P>
-<A HREF="http://www.cert.org">CERT </A>and <A
-HREF="http://www.first.org/"> FIRST</A> teams around the world,
-sharing information about possible vulnerabilities in FreeBSD or
-utilities commonly used with FreeBSD.  The Security Officers are also
-active members of those organizations.</P>
 
-<P>If you do need to contact the Security Officer team about a particularly
+<p>In order that the FreeBSD Project may respond to vulnerability
-sensitive matter, please use their <A
+reports in a timely manner, there are four members of the Security
-HREF="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/public_key.asc">PGP key
+Officer mail alias: the Security Officer, the Deputy Security Officer,
-</A> to encrypt your message before sending it.</P>
+and two Core Team liaisons.  Therefore, messages sent to the
+<a
+href="mailto:security-officer@FreeBSD.org">&lt;security-officer@FreeBSD.org&gt;</a>
+mail alias are currently delivered to:</p>
+
+<table>
+<tr valign="top">
+  <td>Jacques Vidrine <a
+    href="mailto:nectar@FreeBSD.org">&lt;nectar@FreeBSD.org&gt;</a></td>
+  <td>Security Officer</td>
+</tr>
+<tr valign="top">
+  <td>Chris Faulhaber <a
+    href="mailto:jedgar@FreeBSD.org">&lt;jedgar@FreeBSD.org&gt;</a></td>
+  <td>Deputy Security Officer</td>
+</tr>
+<tr valign="top">
+  <td>Robert Watson <a
+    href="mailto:rwatson@FreeBSD.org">&lt;rwatson@FreeBSD.org&gt;</a></td>
+  <td>FreeBSD Core Team member, Release Engineering liaison,<br>
+      TrustedBSD Project liaison, system security architecture expert</td>
+</tr>
+<tr valign="top">
+  <td>Warner Losh <a
+    href="mailto:imp@FreeBSD.org">&lt;imp@FreeBSD.org&gt;</a></td>
+  <td>FreeBSD Core Team liaison, Security Officer Emeritus</td>
+</tr>
+</table>
+
+<p>The Security Officer is supported by the <a
+href="mailto:security-team@FreeBSD.org">Security Officer Team
+&lt;security-team@FreeBSD.org&gt;</a>, a
+group of committers selected by the Security Officer.  The current
+make up of the team is as follows:</p>
+
+<table> 
+<tr valign="top">
+  <td>Bill Fumerola <a
+    href="mailto:billf@FreeBSD.org">&lt;billf@FreeBSD.org&gt;</a></td>
+  <td>FreeBSD Infrastructure liaison</td>
+</tr>
+<tr valign="top">
+  <td>Daniel Harris <a
+    href="mailto:dannyboy@FreeBSD.org">&lt;dannyboy@FreeBSD.org&gt;</a></td>
+  <td></td>
+</tr>
+<tr valign="top">
+  <td>Trevor Johnson <a
+    href="mailto:trevor@FreeBSD.org">&lt;trevor@FreeBSD.org&gt;</a></td>
+  <td></td>
+</tr>
+<tr valign="top">
+  <td>Kris Kennaway <a
+    href="mailto:kris@freebsd.org">&lt;kris@FreeBSD.org&gt;</a></td>
+  <td>Port Manager liaison, Security Officer Emeritus</td>
+</tr>
+<tr valign="top">
+  <td>Wes Peters <a
+    href="mailto:wes@FreeBSD.org">&lt;wes@FreeBSD.org&gt;</a></td>
+  <td>Core Team liaison</td>
+</tr>
+<tr valign="top">
+  <td>Guido van Rooij <a
+    href="mailto:guido@FreeBSD.org">&lt;guido@FreeBSD.org&gt;</a></td>
+  <td>Security Officer Emeritus</td>
+</tr>
+<tr valign="top">
+  <td>Dag-Erling Smorgrav <a
+    href="mailto:des@FreeBSD.org">&lt;des@FreeBSD.org&gt;</a></td>
+  <td></td>
+</tr>
+</table>
+
+<p>Please use the <a
+href="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/public_key.asc">Security
+Officer PGP key</a> to encrypt your messages to the Security Officer
+when appropriate.</p>
+
+<a NAME="pol"></a>
+<h2>Information handling policies</h2>
+
+<p>As a general policy, the FreeBSD Security Officer favors full
+disclosure of vulnerability information after a reasonable delay to
+permit safe analysis and correction of a vulnerability, as well as
+appropriate testing of the correction, and appropriate coordination
+with other affected parties.</p>
+
+<p>The Security Officer <em>will</em> notify one or more of the
+<a href="mailto:admins@FreeBSD.org">FreeBSD Cluster Admins</a> of
+vulnerabilities that put the FreeBSD Project's resources under
+immediate danger.</p>
+
+<p>The Security Officer may bring additional FreeBSD developers
+or outside developers into discussion of a submitted security
+vulnerability if their expertise is required to fully understand or
+correct the problem.  Appropriate discretion will be exercised to
+minimize unnecessary distribution of information about the submitted
+vulnerability, and any experts brought in will act in accordance of
+Security Officer policies.  In the past, experts have been brought
+in based on extensive experience with highly complex components of
+the operating system, including FFS, the VM system, and the network
+stack.</p>
+
+<p>If a FreeBSD release process is underway, the FreeBSD Release
+Engineer may also be notified that a vulnerability exists, and its
+severity, so that informed decisions may be made regarding the release
+cycle and any serious security bugs present in software associated
+with an up-coming release.  If requested, the Security Officer will
+not share information regarding the nature of the vulnerability with
+the Release Engineer, limiting information flow to existence and
+severity.</p>
+
+<p>The FreeBSD Security Officer has close working relationships
+with a number of other organizations, including third-party vendors
+that share code with FreeBSD (the OpenBSD and NetBSD projects,
+Apple, and other vendors deriving software from FreeBSD, as well
+as the Linux vendor security list), as well as organizations
+that track vulnerabilities and security incidents, such as CERT.
+Frequently vulnerabilities may extend beyond the scope of the
+FreeBSD implementation, and (perhaps less frequently) may have
+broad implications for the global networking community.  Under such
+circumstances, the Security Officer may wish to disclose vulnerability
+information to these other organizations: if you do not wish the
+Security Officer to do this, please indicate so explicitly in any
+submissions.</p>
+
+<p>Submitters should be careful to explicitly document any special
+information handling requirements.</p>
+
+<p>If the submitter of a vulnerability is interested in a coordinated
+disclosure process with the submitter and/or other vendors, this
+should be indicated explicitly in any submissions.  In the absence
+of explicit requests, the FreeBSD Security Officer will select a
+disclosure schedule that reflects both a desire for timely disclosure
+and appropriate testing of any solutions.  Submitters should be aware
+that if the vulnerability is being actively discussed in public forums
+(such as bugtraq), and actively exploited, the Security Officer may
+choose not to follow a proposed disclosure timeline in order to
+provide maximum protection for the user community.</p>
+
+<p>Submitters should be aware that the FreeBSD Project is an open
+source project, and source revision control information for every
+change made to the FreeBSD source tree is publically accessible.  If a
+disclosure schedule is provided, it should take into account both the
+official release of advisory, patch, and update information, as well
+as initial inclusion of fixes in the FreeBSD source tree.  There is
+necessarily a lag between the inclusion of fixes in the tree and the
+generation and releases of advisories, patches, and binary updates, as
+the source control system is used to generate them.</p>
+
+<p>Submissions may be protected using PGP.  If desired, responses will
+also be protected using PGP.</p>
 
 <A NAME=adv></A>
 <H2>FreeBSD Security Advisories</H2>
 
-<P>The FreeBSD Security Officer Team provides security advisories for the
+<P>The FreeBSD Security Officer provides security advisories for the
 following releases of FreeBSD:</P>
 
 <UL>

share/sgml/advisories.xml

@@ -1,10 +1,10 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" [
 <!ENTITY base CDATA "..">
-<!ENTITY date "$FreeBSD: www/en/security/security.sgml,v 1.100 2002/06/27 11:43:33 nectar Exp $">
+<!ENTITY date "$FreeBSD: www/en/security/security.sgml,v 1.101 2002/06/29 09:07:09 nik Exp $">
 <!ENTITY title "FreeBSD Security Information">
 <!ENTITY % includes SYSTEM "../includes.sgml"> %includes;
 ]>
-<!-- $FreeBSD: www/en/security/security.sgml,v 1.100 2002/06/27 11:43:33 nectar Exp $ -->
+<!-- $FreeBSD: www/en/security/security.sgml,v 1.101 2002/06/29 09:07:09 nik Exp $ -->
 
 <html>
     &header;
@@ -25,7 +25,8 @@ introduce vulnerabilities.</P>
 
 <H2>Table of Contents</H2>
 <UL>
-<LI><A HREF="#sec">Information about the FreeBSD Security Officer Team</A></LI>
+<LI><A HREF="#sec">Information about the FreeBSD Security Officer</A></LI>
+<LI><A HREF="#pol">Information handling policies</A></LI>
 <LI><A HREF="#adv">FreeBSD Security Advisories</A></LI>
 <LI><A HREF="#ml">FreeBSD Security Mailing Lists Information</A></LI>
 <LI><A HREF="#tat">FreeBSD Security Tips and Tricks</A></LI>
@@ -34,35 +35,178 @@ introduce vulnerabilities.</P>
 </UL>
 
 <A NAME=sec></A>
-<H2>The FreeBSD Security Officer Team</H2>
+<H2>The FreeBSD Security Officer and the Security Officer Team</H2>
 
 <P>To better coordinate information exchange with others in the security
-community, FreeBSD has a focal point for security related communications:
+community, FreeBSD has a focal point for security-related communications:
-the FreeBSD <a href="mailto:security-officer@FreeBSD.org">Security Officer team</a>.
+the FreeBSD Security Officer.</P>
-The position is staffed by a team of dedicated security officers,
-whose main tasks are to send out advisories when there are known security
-holes and to act on reports of possible security problems with FreeBSD.</P>
 
-<P>If you need to contact someone from FreeBSD about a
+<P>If you need to contact the FreeBSD Project about
-possible security bug, you should therefore <A
+a possible security issue, you should therefore <A
-HREF="mailto:security-officer@FreeBSD.org">send mail to the Security Officer team</A>
+HREF="mailto:security-officer@FreeBSD.org">send mail to the Security
-with a description of what you have found and the type of vulnerability it
+Officer</A> with a description of what you have found and the type of
-represents.  The Security Officer team also communicates with the various
+vulnerability it represents.</P>
-<A HREF="http://www.cert.org">CERT </A>and <A
-HREF="http://www.first.org/"> FIRST</A> teams around the world,
-sharing information about possible vulnerabilities in FreeBSD or
-utilities commonly used with FreeBSD.  The Security Officers are also
-active members of those organizations.</P>
 
-<P>If you do need to contact the Security Officer team about a particularly
+<p>In order that the FreeBSD Project may respond to vulnerability
-sensitive matter, please use their <A
+reports in a timely manner, there are four members of the Security
-HREF="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/public_key.asc">PGP key
+Officer mail alias: the Security Officer, the Deputy Security Officer,
-</A> to encrypt your message before sending it.</P>
+and two Core Team liaisons.  Therefore, messages sent to the
+<a
+href="mailto:security-officer@FreeBSD.org">&lt;security-officer@FreeBSD.org&gt;</a>
+mail alias are currently delivered to:</p>
+
+<table>
+<tr valign="top">
+  <td>Jacques Vidrine <a
+    href="mailto:nectar@FreeBSD.org">&lt;nectar@FreeBSD.org&gt;</a></td>
+  <td>Security Officer</td>
+</tr>
+<tr valign="top">
+  <td>Chris Faulhaber <a
+    href="mailto:jedgar@FreeBSD.org">&lt;jedgar@FreeBSD.org&gt;</a></td>
+  <td>Deputy Security Officer</td>
+</tr>
+<tr valign="top">
+  <td>Robert Watson <a
+    href="mailto:rwatson@FreeBSD.org">&lt;rwatson@FreeBSD.org&gt;</a></td>
+  <td>FreeBSD Core Team member, Release Engineering liaison,<br>
+      TrustedBSD Project liaison, system security architecture expert</td>
+</tr>
+<tr valign="top">
+  <td>Warner Losh <a
+    href="mailto:imp@FreeBSD.org">&lt;imp@FreeBSD.org&gt;</a></td>
+  <td>FreeBSD Core Team liaison, Security Officer Emeritus</td>
+</tr>
+</table>
+
+<p>The Security Officer is supported by the <a
+href="mailto:security-team@FreeBSD.org">Security Officer Team
+&lt;security-team@FreeBSD.org&gt;</a>, a
+group of committers selected by the Security Officer.  The current
+make up of the team is as follows:</p>
+
+<table> 
+<tr valign="top">
+  <td>Bill Fumerola <a
+    href="mailto:billf@FreeBSD.org">&lt;billf@FreeBSD.org&gt;</a></td>
+  <td>FreeBSD Infrastructure liaison</td>
+</tr>
+<tr valign="top">
+  <td>Daniel Harris <a
+    href="mailto:dannyboy@FreeBSD.org">&lt;dannyboy@FreeBSD.org&gt;</a></td>
+  <td></td>
+</tr>
+<tr valign="top">
+  <td>Trevor Johnson <a
+    href="mailto:trevor@FreeBSD.org">&lt;trevor@FreeBSD.org&gt;</a></td>
+  <td></td>
+</tr>
+<tr valign="top">
+  <td>Kris Kennaway <a
+    href="mailto:kris@freebsd.org">&lt;kris@FreeBSD.org&gt;</a></td>
+  <td>Port Manager liaison, Security Officer Emeritus</td>
+</tr>
+<tr valign="top">
+  <td>Wes Peters <a
+    href="mailto:wes@FreeBSD.org">&lt;wes@FreeBSD.org&gt;</a></td>
+  <td>Core Team liaison</td>
+</tr>
+<tr valign="top">
+  <td>Guido van Rooij <a
+    href="mailto:guido@FreeBSD.org">&lt;guido@FreeBSD.org&gt;</a></td>
+  <td>Security Officer Emeritus</td>
+</tr>
+<tr valign="top">
+  <td>Dag-Erling Smorgrav <a
+    href="mailto:des@FreeBSD.org">&lt;des@FreeBSD.org&gt;</a></td>
+  <td></td>
+</tr>
+</table>
+
+<p>Please use the <a
+href="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/public_key.asc">Security
+Officer PGP key</a> to encrypt your messages to the Security Officer
+when appropriate.</p>
+
+<a NAME="pol"></a>
+<h2>Information handling policies</h2>
+
+<p>As a general policy, the FreeBSD Security Officer favors full
+disclosure of vulnerability information after a reasonable delay to
+permit safe analysis and correction of a vulnerability, as well as
+appropriate testing of the correction, and appropriate coordination
+with other affected parties.</p>
+
+<p>The Security Officer <em>will</em> notify one or more of the
+<a href="mailto:admins@FreeBSD.org">FreeBSD Cluster Admins</a> of
+vulnerabilities that put the FreeBSD Project's resources under
+immediate danger.</p>
+
+<p>The Security Officer may bring additional FreeBSD developers
+or outside developers into discussion of a submitted security
+vulnerability if their expertise is required to fully understand or
+correct the problem.  Appropriate discretion will be exercised to
+minimize unnecessary distribution of information about the submitted
+vulnerability, and any experts brought in will act in accordance of
+Security Officer policies.  In the past, experts have been brought
+in based on extensive experience with highly complex components of
+the operating system, including FFS, the VM system, and the network
+stack.</p>
+
+<p>If a FreeBSD release process is underway, the FreeBSD Release
+Engineer may also be notified that a vulnerability exists, and its
+severity, so that informed decisions may be made regarding the release
+cycle and any serious security bugs present in software associated
+with an up-coming release.  If requested, the Security Officer will
+not share information regarding the nature of the vulnerability with
+the Release Engineer, limiting information flow to existence and
+severity.</p>
+
+<p>The FreeBSD Security Officer has close working relationships
+with a number of other organizations, including third-party vendors
+that share code with FreeBSD (the OpenBSD and NetBSD projects,
+Apple, and other vendors deriving software from FreeBSD, as well
+as the Linux vendor security list), as well as organizations
+that track vulnerabilities and security incidents, such as CERT.
+Frequently vulnerabilities may extend beyond the scope of the
+FreeBSD implementation, and (perhaps less frequently) may have
+broad implications for the global networking community.  Under such
+circumstances, the Security Officer may wish to disclose vulnerability
+information to these other organizations: if you do not wish the
+Security Officer to do this, please indicate so explicitly in any
+submissions.</p>
+
+<p>Submitters should be careful to explicitly document any special
+information handling requirements.</p>
+
+<p>If the submitter of a vulnerability is interested in a coordinated
+disclosure process with the submitter and/or other vendors, this
+should be indicated explicitly in any submissions.  In the absence
+of explicit requests, the FreeBSD Security Officer will select a
+disclosure schedule that reflects both a desire for timely disclosure
+and appropriate testing of any solutions.  Submitters should be aware
+that if the vulnerability is being actively discussed in public forums
+(such as bugtraq), and actively exploited, the Security Officer may
+choose not to follow a proposed disclosure timeline in order to
+provide maximum protection for the user community.</p>
+
+<p>Submitters should be aware that the FreeBSD Project is an open
+source project, and source revision control information for every
+change made to the FreeBSD source tree is publically accessible.  If a
+disclosure schedule is provided, it should take into account both the
+official release of advisory, patch, and update information, as well
+as initial inclusion of fixes in the FreeBSD source tree.  There is
+necessarily a lag between the inclusion of fixes in the tree and the
+generation and releases of advisories, patches, and binary updates, as
+the source control system is used to generate them.</p>
+
+<p>Submissions may be protected using PGP.  If desired, responses will
+also be protected using PGP.</p>
 
 <A NAME=adv></A>
 <H2>FreeBSD Security Advisories</H2>
 
-<P>The FreeBSD Security Officer Team provides security advisories for the
+<P>The FreeBSD Security Officer provides security advisories for the
 following releases of FreeBSD:</P>
 
 <UL>