Red Hat (NYSE: RHT) is jumping into the open source security game with a effort known as the Open Source Software Security community, or simply OSS-security. The new effort is a mailing list–based approach, in which security issues can be discussed openly.
The new effort comes on the heels of Google, Novell and others supporting an open source Computer Emergency Response Team (CERT) effort, called oCert. Though Red Hat is supportive of oCERT, it is not an official member.
“OSS-security is not affiliated with oCERT in any way, nor is it meant to compete with them,” Josh Bressers, senior engineer for Red Hat’s security response team, told InternetNews.com. “oCERT specializes in the handling of sensitive embargoed security issues. The target of OSS-security is not handling sensitive embargoed issues but rather the discussion of public issues and challenges.”
“We link OSS-security from oCERT.org, and one of the people that started OSS-security is on the oCERT board,” said Andrea Barisani, oCERT’s founder. “We are complementary and far from being competitive, and in the open source security world all the help we can get is welcome.”
Red Hat already participates in numerous security efforts, including the vital vendor-sec group, in which vulnerabilities are reported. Bressers explained that OSS-security fulfills a different role than vendor-sec.
This is meant to act as a public community effort with respect to handling open source security issues.
“The purpose of vendor-sec is to be a closed private group,” Bressers noted. “The nature of vendor-sec makes it ideal for handling embargoed sensitive security issues, but does not address the issue of public discussion,” he said, explaining that “Public discussion is the very heart of the ideals of open source.”
The OSS-security group on the other hand is meant to act as a public community effort with respect to handling open source security issues.
“The goal of this group is to fill the current vacuum for discussing and handling the unique challenges the open source community must focus on when handling security issues,” Bressers said.
Red Hat isn’t the only member of OSS-security; Mandriva, Foresight Linux and Openwall are also active participants. Bressers noted that neither Red Hat nor the OSS-security group is soliciting open source projects to participate in this effort.
“Anyone, regardless of their affiliation, is welcome to participate in this community,” Bressers said. “Rather than explicitly solicit participation from other projects, we are confident that by building a strong community, it will broaden participation.”