The infrastructure of the members-only security mailing list "Vendor-Sec" for open source vendors has been severely damaged according to a post published by Markus Meissner at the OSS Security mailing list. At Vendor-Sec, Linux and BSD distributors discussed undisclosed vulnerabilities in the kernel and open source software. Some of the information was embargoed to give vendors time to close their holes.

Meissner says a cracker apparently broke into the mailing list server at lst.de and destroyed the installation. Since then, the server has been unreachable. Meissner believes the attack is a direct reaction to his discovering the intruder.

Meissner says he discovered that the server had been broken into and informed members of the mailing list that a third party may be reading their emails – big news for criminals, who then had a source of exploits for unpatched vulnerabilities served up on a silver platter.

Because Meissner no longer has time to maintain the server, he has called on members to stop sending emails under embargo over Vendor-Sec and instead agree to a new hosting system.

It's not clear how closed off Vendor-Sec really was. List members came from both commercial and non-commercial firms and access was provided on request. In 2005, a case was made public, in which black hats reportedly reading the list obtained a kernel exploit for root access.

(crve)