List Purpose

Opt-in notification email list for persons interested in early notification of security vulnerabilities in JA-SIG software and their workarounds. The Security Contact group, security@ja-sig.org, will route notifications to this list before they become publicly available.

This list has open, approved membership, moderated posting and private archives, it is administered by Andrew Petro.

Membership policy

This is a private email list intended for the distribution on JA-SIG software security vulnerability notifications on an early, roughly need-to-know basis. Only persons with an articulable need to know about vulnerabilities in JA-SIG software will be granted membership on this email list. The threshhold for membership is low, but it is nonzero.

In order to make membership policy enforcement manageable, it is federated and auditable. Email addresses will be added to this list by the list administrator in response to any of the following:

At the request of a member of the JA-SIG Security Contact group
At the request of a member of a JA-SIG project steering committee
At the request of a JA-SIG board director
In response to an individual request for membership, if that request identifies a production usage of JA-SIG software (the need to know, e.g. "http://portal.yale.edu" ), states an affiliation with that production usage (e.g. "I'm the project manager"), and identifies a public URL naming an institutional information security contact who will verify this affiliation (e.g. "Email H. Morrow Long, Yale information security officer, as per http://security.yale.edu/contact.html , to verify"). While this approach leverages information security infrastructure that most institutions already have in place for other reasons (DMCA requests, anyone?), this is also the most formal way to be added. You may find this approach most attractive; you may prefer to get someone in one of the above named roles to sign off on your request.

Administrative action to grant subscriptions are logged so as to be auditable. The idea is that anyone at any time can review the list of people receiving notifications and holler if something doesn't look right.

Subscription Management

List Address: security-notifications@lists.ja-sig.org
To Subscribe: via email or via web
To Unsubscribe: via email

Edit Settings, Archives