Date: Sun, 1 Jan 2012 10:24:23 +0400 From: Solar Designer <solar@...nwall.com> To: Andrea Barisani <lcars@...rt.org> Cc: oss-security@...ts.openwall.com Subject: Re: [oCERT-2011-003] multiple implementations denial-of-service via hash algorithm collision On Thu, Dec 29, 2011 at 11:58:21PM +0100, Andrea Barisani wrote: > As stated in our timeline the embargo date was requested by reporters: > "2011-09-25: vulnerability report received, reporters set embargo date to December 27th" > > Our disclosure policy also says: > "- in any circumstance reporter preference will always be honoured in case a > joint agreement is not reached, as oCERT would be anyway unable to force its > embargo" > > We tried to negotiate an earlier embargo time as, obviously, many complained > about the unfortunate timing considering xmas holidays but the reporters really > wanted to release this after the CCC talk. > > It is oCERT policy to not leak reports before the desired date set by the > reporters if a more favourable one is not agreed upon. > > Hope this clarifies the exception. It does (at least for me). I just felt that this needed to be said. Thank you! Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ