This list is used to provide actionable information to multiple vendors at once. This list is not intended for individuals to find out about security issues.
This policy forbids members of this project's security contacts and others defined below from sharing information outside of the security contacts and this listing without need-to-know and advance notice.
The information members and others receive from the list defined below must:
- not be made public,
- not be shared,
- not be hinted at,
- must be kept confidential and close held
Except with the list's explicit approval. This holds true until the public disclosure date/time that was agreed upon by the list.
If information is inadvertently shared beyond what is allowed by this policy, you are REQUIRED to inform the security contacts of exactly what information leaked and to whom. A retrospective will take place after the leak so we can assess how to not make this mistake in the future.
Violation of this policy will result in the immediate removal and subsequent replacement of you from this list or the security contacts.
To be eligible for joining the CVD list, you should:
- Have an actively monitored security email alias for your organization.
- Support active Flux instances to users beyond your own organization.
- Accept the Embargo Policy that is outlined above.
Submit a request here.