Vendor-sec

vendor-sec was an electronic mailing list dedicated to distributors of operating systems using (but not necessarily solely) free and open-source software. The list was used to discuss potential distribution element (kernel, libraries, applications) security vulnerabilities, as well as to co-ordinate the release of security updates by members.

As of March 2011, after a security compromise, vendor-sec is no longer in use. Possible alternatives to it are being considered.

Members of the list included representatives from various Linux distributions, as well as a number of BSD distributions. The list did not make a distinction between commercial and non-commercial vendors.

The mailing list was unmoderated, but requests for membership were manually vetted to ensure that only the target audience could join. This was done to avoid leaking the potentially sensitive discussions, as vendor-sec members had access to information about vulnerabilities before they become public. Vendor-sec practices responsible disclosure.

As part of the conditions of use, information discovered through vendor-sec could not be disclosed ahead of time by vendors. The balance between the time it takes to analyse an issue versus the required confidentiality has been described as "delicate" and can cause frustration ("Going to vendor-sec ... creates inexcusable delays, [binds] you to confidentiality.")