> [email protected] - private list for reporting severe > vulnerabilities in OpenSSL or LibreSSL to the core LibreSSL team.
Why is the list private? It doesn't combine with full disclosure principle that OpenBSD has listed on Security webpage: > Full Disclosure > > Like many readers of the BUGTRAQ mailing list, we believe in full disclosure > of security problems. > In the operating system arena, we were probably the first to embrace the > concept. Many vendors, > even of free software, still try to hide issues from their users. > > Security information moves very fast in cracker circles. On the other hand, > our experience is > that coding and releasing of proper security fixes typically requires about > an hour of work -- very > fast fix turnaround is possible. Thus we think that full disclosure helps the > people who really > care about security.
