On Wed, Mar 10, 2004 17:02:01 +0000, Matthew Byng-Maddick wrote:
> On Wed, Mar 10, 2004 at 04:49:39PM +0000, Ollie Cook wrote:
> > However, I can respond on this point immediately. I know of one man who would
> > be excellent in this capacity of security officer. He's Nick Cleaton
> > (ex-Netscalibur, Claranet etc.)
>
> Nick's good at that kind of stuff, it's true. If he has the time.
I think I have the time, in fact I may well have Copious Free Time four
weeks from now :)
IMO a "Security Officer" should be a small team rather than one
individual. How about a structure something like:
security@??? and/or security-officer@???
Published address for people to report security holes. Goes to a
small group, who weed out the spam and false alarms and forward any
genuine issues to:
security-internal@??? (or somesuch)
A closed, secret list that goes to a larger group of the major
developers. Used by the security officers to announce the discovery
of security problems and to get feedback on proposed patches before
publication.
--
Nick Cleaton
nick@???