As far as I am aware security issues reported by a member of the
community stay private between the core dev team and said member until
the issue is investigated, given a CVE, patched and most likely rolled
out in production environments (say, about a week from delivery of the
patch). Afterwards the issue is moved to the public. At least that's
how I understood the normal proceedings for example with Debian,
Apache, mariadb and others.
--
Viele Grüße
Jo

--------------
Drexl Johannes

Leibniz-Rechenzentrum
der Bayerischen Akademie der Wissenschaften
Boltzmannstraße 1
85748 Garching

Benutzersekretariat-Tel.: 	089-35831-8000
Servicedesk-Tel.: 		089-35831-8800

Am Mittwoch, den 25.09.2019, 11:13 -0500 schrieb Wayne Schneider:
> It does sound like the technical council has already been asked to
> address this. I believe the TC has strong representation from both
> "hosted" and "self-hosting" community members, doesn't it? I think
> this is the first "0-day" potential exploit that has been reported,
> so perhaps we should step back a little bit and work with the
> community to come up with a solid set of policies and procedures
> before jumping to the conclusion that anyone is trying to hide
> information to the advantage of hosting providers.
>
> Are there other examples of 0-day exploit reporting policies from
> other OSS communities that might serve as useful models? That might
> be something we could look at as a SIG, to provide input to the tech
> council.
>
>    wayne
>
> On Wed, Sep 25, 2019 at 10:46 AM Ian Walls <ian@bywatersolutions.com>
> wrote:
> > If we want to protect live sites from exploits of 0-days before
> > they can be patched, I think we're better off adjusting our
> > critical bug reporting procedures than locking down access to the
> > report of the problem to a curated set of users.
> >
> > Perhaps we keep the bug restricted to a trusted set of users until
> > it's fixed, then once a fix is in place, we notify the community at
> > large and make the issue open at that point?   We'd need to make
> > maintenance of this list of trusted users something the community
> > can agree to, and make membership to it accessible.
> >
> >
> > Ian
> >
> > On Wed, Sep 25, 2019 at 11:40 AM Stephen Pampell <
> > spampell@library.tamu.edu> wrote:
> > > The instances of FOLIO running in production are not the only
> > > ones exposed to the internet.  I believe it to be unethical to
> > > allow those institutions (such as Texas A&M) to be kept in the
> > > dark while hosted instances get “fixed”. This is not how an OSS
> > > community works.
> > >
> > > There needs to be a process by which we notify the community of
> > > security problems. And it can’t be one where we have 2 classes of
> > > organizations: one where you run on hosted instances and get
> > > patched immediately, and one where you self-host and get patches
> > > once the hosted instances are patched.
> > >
> > > Stephen Pampell | Systems Administrator IV
> > > Digital Initiatives | University Libraries
> > >
> > > Tel. 979.458.5581 | Fax 979.845.6238
> > >
> > > > On Sep 25, 2019, at 10:26 AM, Robert Douglas <
> > > > rld244@cornell.edu> wrote:
> > > >
> > > > Ok thanks Peter.
> > > >
> > > > From: <sysops-sig@ole-lists.openlibraryfoundation.org> on
> > > > behalf of Peter Murray <peter@indexdata.com>
> > > > Reply-To: "sysops-sig@ole-lists.openlibraryfoundation.org" <
> > > > sysops-sig@ole-lists.openlibraryfoundation.org>
> > > > Date: Wednesday, September 25, 2019 at 11:25 AM
> > > > To: "sysops-sig@ole-lists.openlibraryfoundation.org" <
> > > > sysops-sig@ole-lists.openlibraryfoundation.org>
> > > > Subject: Re: Important defect
> > > >
> > > > I can't think of a way of summarizing it without giving away
> > > > the exploit.  Given that we have a library in production now, I
> > > > think it is prudent to wait until the issue is fully addressed.
> > > >
> > > >
> > > > Peter
> > > >
> > > > --
> > > > Peter Murray
> > > > Open Source Community Advocate
> > > > Index Data, LLC
> > > > On Sep 25, 2019, 11:17 AM -0400, Robert Douglas <
> > > > rld244@cornell.edu>, wrote:
> > > >
> > > > > Is there a description of the issue outside of Jira we can
> > > > > see? I’m not seeing it in this thread.
> > > > >
> > > > > Thanks,
> > > > > Robbie
> > > > >
> > > > > From: <sysops-sig@ole-lists.openlibraryfoundation.org> on
> > > > > behalf of Peter Murray <peter@indexdata.com>
> > > > > Reply-To: "sysops-sig@ole-lists.openlibraryfoundation.org" <
> > > > > sysops-sig@ole-lists.openlibraryfoundation.org>
> > > > > Date: Wednesday, September 25, 2019 at 11:06 AM
> > > > > To: "sysops-sig@ole-lists.openlibraryfoundation.org" <
> > > > > sysops-sig@ole-lists.openlibraryfoundation.org>, "
> > > > > sysops-sig@ole-lists.openlibraryfoundation.org" <
> > > > > sysops-sig@ole-lists.openlibraryfoundation.org>
> > > > > Subject: Re: Important defect
> > > > >
> > > > > Let's bounce this through Technical Council, too, to get a
> > > > > broader agreement.  I just mentioned it on the TC call.
> > > > >
> > > > >
> > > > > Peter
> > > > >
> > > > > --
> > > > > Peter Murray
> > > > > Open Source Community Advocate
> > > > > Index Data, LLC
> > > > > On Sep 25, 2019, 11:02 AM -0400, Harry Kaplanian <
> > > > > hkaplanian@ebsco.com>, wrote:
> > > > >
> > > > > > That is the concern.  But, I still believe this this group
> > > > > > must know.
> > > > > > I’m compiling a list of people in Sys-Ops that should be in
> > > > > > the “group” now…
> > > > > >
> > > > > > From: <sysops-sig@ole-lists.openlibraryfoundation.org> on
> > > > > > behalf of Ian Walls <ian@bywatersolutions.com>
> > > > > > Reply-To: "sysops-sig@ole-lists.openlibraryfoundation.org"
> > > > > > <sysops-sig@ole-lists.openlibraryfoundation.org>
> > > > > > Date: Wednesday, September 25, 2019 at 10:25 AM
> > > > > > To: "sysops-sig@ole-lists.openlibraryfoundation.org" <
> > > > > > sysops-sig@ole-lists.openlibraryfoundation.org>
> > > > > > Subject: Re: Important defect
> > > > > >
> > > > > > CAUTION: External E-mail
> > > > > >
> > > > > > Is the concern that, if we report 0-day flaws in JIRA
> > > > > > tickets, bad actors can come along and make exploits before
> > > > > > our community can react?
> > > > > >
> > > > > > On Wed, Sep 25, 2019 at 10:03 AM Harry Kaplanian <
> > > > > > hkaplanian@ebsco.com> wrote:
> > > > > > > Peter,
> > > > > > > we need a security level that includes the Sys-Ops group
> > > > > > > since they are hosting and testing with possibly real
> > > > > > > data at this point in time.  In the future as they host
> > > > > > > live, it will become critical that this group has access
> > > > > > > to this data so they can take appropriate actions when
> > > > > > > needed.
> > > > > > > Who can create this group?
> > > > > > >
> > > > > > > From: <sysops-sig@ole-lists.openlibraryfoundation.org> on
> > > > > > > behalf of Peter Murray <peter@indexdata.com>
> > > > > > > Reply-To: "sysops-sig@ole-lists.openlibraryfoundation.org
> > > > > > > " <sysops-sig@ole-lists.openlibraryfoundation.org>
> > > > > > > Date: Wednesday, September 25, 2019 at 9:51 AM
> > > > > > > To: "sysops-sig@ole-lists.openlibraryfoundation.org" <
> > > > > > > sysops-sig@ole-lists.openlibraryfoundation.org>
> > > > > > > Subject: Re: Important defect
> > > > > > >
> > > > > > > CAUTION: External E-mail
> > > > > > >
> > > > > > > It is set to a Jira security level of "FOLIO Core Team",
> > > > > > > so that may be limiting who can see it.
> > > > > > >
> > > > > > >
> > > > > > > Peter
> > > > > > >
> > > > > > > --
> > > > > > > Peter Murray
> > > > > > > Open Source Community Advocate
> > > > > > > Index Data, LLC
> > > > > > > On Sep 25, 2019, 9:15 AM -0400, Stephen Pampell <
> > > > > > > spampell@library.tamu.edu>, wrote:
> > > > > > >
> > > > > > > > Interesting, I don’t have permission to view either of
> > > > > > > > those issues.
> > > > > > > >
> > > > > > > > Stephen Pampell | Systems Administrator IV
> > > > > > > > Digital Initiatives | University Libraries
> > > > > > > >
> > > > > > > > Tel. 979.458.5581 | Fax 979.845.6238
> > > > > > > >
> > > > > > > >
> > > > > > > > > On Sep 25, 2019, at 7:51 AM, Harry Kaplanian <
> > > > > > > > > hkaplanian@EBSCO.COM> wrote:
> > > > > > > > >
> > > > > > > > > Hello Sys-Ops  SIG,
> > > > > > > > > I’m sending this to the group as I know some of you
> > > > > > > > > are hosting and testing FOLIO instances and there is
> > > > > > > > > a chance you might be loading and using real user
> > > > > > > > > data.
> > > > > > > > > Yesterday, during bug fest, a rather critical defect
> > > > > > > > > was found.  Please see:
> > > > > > > > > https://issues.folio.org/browse/FOLIO-2281
> > > > > > > > >
> > > > > > > > > The original posting is located here:
> > > > > > > > > https://issues.folio.org/browse/MODAT-52
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > The good news is that a fix was deployed this morning
> > > > > > > > > and testing is ongoing.
> > > > > > > > > Just in case any of you need to take precautions…
> > > > > > > > >
> > > > > > > > > Harry
> > > > > > > > >
> > > > > > > > > ---------------------------------------------------
> > > > > > > > > ---
> > > > > > > > > You received this message because you are subscribed
> > > > > > > > > to OLE Mailing List
> > > > > > > > > "sysops-sig".
> > > > > > > > > To unsubscribe from this list and stop receiving
> > > > > > > > > emails from it, follow
> > > > > > > > > this link: http://archives.simplelists.com.
> > > > > > > > > To post to this group, send email to
> > > > > > > > > sysops-sig@ole-lists.openlibraryfoundation.org
> > > > > > > > > <mailto:
> > > > > > > > > sysops-sig@ole-lists.openlibraryfoundation.org>.
> > > > > > > > > Visit this group at
> > > > > > > > > https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
> > > > > > > > > .
> > > > > > > >
> > > > > > > >
> > > > > > > > ------------------------------------------------------
> > > > > > > > You received this message because you are subscribed to
> > > > > > > > OLE Mailing List
> > > > > > > > "sysops-sig".
> > > > > > > > To unsubscribe from this list and stop receiving emails
> > > > > > > > from it, follow
> > > > > > > > this link: http://archives.simplelists.com.
> > > > > > > > To post to this group, send email to
> > > > > > > > sysops-sig@ole-lists.openlibraryfoundation.org
> > > > > > > > <mailto:sysops-sig@ole-lists.openlibraryfoundation.org>
> > > > > > > > .
> > > > > > > > Visit this group at
> > > > > > > > https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
> > > > > > > > .
> > > > > > >
> > > > > > > ------------------------------------------------------
> > > > > > > You received this message because you are subscribed to
> > > > > > > OLE Mailing List
> > > > > > > "sysops-sig".
> > > > > > > To unsubscribe from this list and stop receiving emails
> > > > > > > from it, follow
> > > > > > > this link: http://archives.simplelists.com.
> > > > > > > To post to this group, send email to
> > > > > > > sysops-sig@ole-lists.openlibraryfoundation.org
> > > > > > > <mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
> > > > > > > Visit this group at
> > > > > > > https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
> > > > > > > .
> > > > > > > ------------------------------------------------------
> > > > > > > You received this message because you are subscribed to
> > > > > > > OLE Mailing List
> > > > > > > "sysops-sig".
> > > > > > > To unsubscribe from this list and stop receiving emails
> > > > > > > from it, follow
> > > > > > > this link: http://archives.simplelists.com.
> > > > > > > To post to this group, send email to
> > > > > > > sysops-sig@ole-lists.openlibraryfoundation.org
> > > > > > > <mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
> > > > > > > Visit this group at
> > > > > > > https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
> > > > > > > .
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Ian Walls
> > > > > > FOLIO Implementation Lead
> > > > > > ByWater Solutions
> > > > > > Phone: (888) 900-8944
> > > > > > pronouns: (he/him/his)
> > > > > > timezone: Eastern
> > > > > >
> > > > > > <>
> > > > > > ------------------------------------------------------
> > > > > > You received this message because you are subscribed to OLE
> > > > > > Mailing List
> > > > > > "sysops-sig".
> > > > > > To unsubscribe from this list and stop receiving emails
> > > > > > from it, follow
> > > > > > this link: http://archives.simplelists.com.
> > > > > > To post to this group, send email to
> > > > > > sysops-sig@ole-lists.openlibraryfoundation.org
> > > > > > <mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
> > > > > > Visit this group at
> > > > > > https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
> > > > > > .
> > > > > > ------------------------------------------------------
> > > > > > You received this message because you are subscribed to OLE
> > > > > > Mailing List
> > > > > > "sysops-sig".
> > > > > > To unsubscribe from this list and stop receiving emails
> > > > > > from it, follow
> > > > > > this link: http://archives.simplelists.com.
> > > > > > To post to this group, send email to
> > > > > > sysops-sig@ole-lists.openlibraryfoundation.org
> > > > > > <mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
> > > > > > Visit this group at
> > > > > > https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
> > > > > > .
> > > > >
> > > > > ------------------------------------------------------
> > > > > You received this message because you are subscribed to OLE
> > > > > Mailing List
> > > > > "sysops-sig".
> > > > > To unsubscribe from this list and stop receiving emails from
> > > > > it, follow
> > > > > this link: http://archives.simplelists.com.
> > > > > To post to this group, send email to
> > > > > sysops-sig@ole-lists.openlibraryfoundation.org
> > > > > <mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
> > > > > Visit this group at
> > > > > https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
> > > > > .
> > > > > ------------------------------------------------------
> > > > > You received this message because you are subscribed to OLE
> > > > > Mailing List
> > > > > "sysops-sig".
> > > > > To unsubscribe from this list and stop receiving emails from
> > > > > it, follow
> > > > > this link: http://archives.simplelists.com.
> > > > > To post to this group, send email to
> > > > > sysops-sig@ole-lists.openlibraryfoundation.org
> > > > > <mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
> > > > > Visit this group at
> > > > > https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
> > > > > .
> > > >
> > > > ------------------------------------------------------
> > > > You received this message because you are subscribed to OLE
> > > > Mailing List
> > > > "sysops-sig".
> > > > To unsubscribe from this list and stop receiving emails from
> > > > it, follow
> > > > this link: http://archives.simplelists.com.
> > > > To post to this group, send email to
> > > > sysops-sig@ole-lists.openlibraryfoundation.org
> > > > <mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
> > > > Visit this group at
> > > > https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
> > > > .
> > > > ------------------------------------------------------
> > > > You received this message because you are subscribed to OLE
> > > > Mailing List
> > > > "sysops-sig".
> > > > To unsubscribe from this list and stop receiving emails from
> > > > it, follow
> > > > this link: http://archives.simplelists.com.
> > > > To post to this group, send email to
> > > > sysops-sig@ole-lists.openlibraryfoundation.org
> > > > <mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
> > > > Visit this group at
> > > > https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
> > > > .
> > >
> > > ------------------------------------------------------
> > > You received this message because you are subscribed to OLE
> > > Mailing List
> > > "sysops-sig".
> > > To unsubscribe from this list and stop receiving emails from it,
> > > follow
> > > this link: http://archives.simplelists.com.
> > > To post to this group, send email to
> > > sysops-sig@ole-lists.openlibraryfoundation.org
> > > <mailto:sysops-sig@ole-lists.openlibraryfoundation.org>.
> > > Visit this group at
> > > https://ole-lists.openlibraryfoundation.org<https://ole-lists.openlibraryfoundation.org>
> > > .
> >
> >