Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 1 Jan 2012 10:24:23 +0400
From: Solar Designer <>
To: Andrea Barisani <>
Subject: Re: [oCERT-2011-003] multiple implementations denial-of-service via hash algorithm collision

On Thu, Dec 29, 2011 at 11:58:21PM +0100, Andrea Barisani wrote:
> As stated in our timeline the embargo date was requested by reporters:
> "2011-09-25: vulnerability report received, reporters set embargo date to December 27th"
> Our disclosure policy also says:
> "- in any circumstance reporter preference will always be honoured in case a
> joint agreement is not reached, as oCERT would be anyway unable to force its
> embargo"
> We tried to negotiate an earlier embargo time as, obviously, many complained
> about the unfortunate timing considering xmas holidays but the reporters really
> wanted to release this after the CCC talk.
> It is oCERT policy to not leak reports before the desired date set by the
> reporters if a more favourable one is not agreed upon.
> Hope this clarifies the exception.

It does (at least for me).  I just felt that this needed to be said.

Thank you!


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ