The goal of this session is to educate security researchers, system administrators and information technology managers how security response is handled for the open source software they run. Many open source applications are packaged and distributed by numerous vendors and projects.This results in a number of different public announcements and analysis for each issue. How are open source security issues discovered and reported? Where do the fixes come from, who verifies the issues in question have been fixed? Which advisory is right, who should you listen to?