Create a email list for security alerts

[GoogleCodeExporter]

We are using ESAPI 1.4 in our payment app. As per Req 7.1 of the PCI PA-DSS
(not DSS) specification,

7.1 Software vendors must establish a process to identify newly discovered
security vulnerabilities (for example, subscribe to alert services freely
available on the Internet) and to test their payment applications for
vulnerabilities. Any underlying software or systems that are provided with
or required by the payment application (for example, web servers, 3rd-party
libraries and programs) must be included in this process.

I have a couple of questions based on above,
1. do you send out vulnerability alerts
2. if not, would you consider it - e.g., either alert notices as email to a
different mailing group or publish into CVE

Our preference would be to have alerts go to CVE because we have an
automated vulnerability reporting tool that looks for 3rd party libraries in
our apps and then looks for vulnerabilities in CVE for those libraries.

Thanks in advance.

Original issue reported on code.google.com by manico.james@gmail.com on 25 Jan 2010 at 11:56

[GoogleCodeExporter]

From KevinWall: hasn't something like this come up before, say with the
AntiSamy projects? Why reinvent the wheel each time?  I'm thinking perhaps
just one OWASP-announcements or OWASP-secalerts for *all* the
OWASP projects. This is bound to come up in other OWASP projects that
involve code even if it hasn't already. I think even if this
were done OWASP-wide, it would be low enough volume list that people
wouldn't mind. And while I can't speak for others, I personally would much
rather monitor a *single* mailing list than a half dozen. That's one reason
why sites such as Bugtraq and Secunia are successful.

Original comment by manico.james@gmail.com on 26 Jan 2010 at 12:37

[GoogleCodeExporter]

I would suggest that along with security patches that are announced that we 
also put
out our best estimate of a figure using the Common Vulnerability Scoring 
System. CVSS
v2 is becoming a de facto standard in vulnerability announcements. I think this
greatly helps people to decide how urgently they need to apply the patch. Also, 
that
way we don't have to define our own ranking system.

Original comment by kevin.w.wall@gmail.com on 28 Jan 2010 at 3:37

[GoogleCodeExporter]

Do we have a place where we can get subscribed to ESAPI security alerts, 
Critical
patches etc?

Original comment by sub...@gmail.com on 6 May 2010 at 9:48

[GoogleCodeExporter]

AFAIK, nothing decided yet. OWASP Leadership is still discussing it.

Original comment by kevin.w.wall@gmail.com on 9 May 2010 at 2:31

[GoogleCodeExporter]

This is just the right thing to do. There is no excuse for not making this 
happen in sync with the ESAPI 2.0 release.

Original comment by manico.james@gmail.com on 1 Nov 2010 at 1:24

• Added labels: Milestone-Release2.0

[GoogleCodeExporter]

Original comment by kevin.w.wall@gmail.com on 12 Feb 2011 at 8:39

• Added labels: Component-Docs, Component-Other

[GoogleCodeExporter]

This is being handled at a OWASP level for all projects and will be done within 
the month

Original comment by chris.sc...@owasp.org on 23 Mar 2011 at 4:28

• Changed state: WontFix