Date: Fri, 27 Jun 2014 07:10:08 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: LMS-2014-06-16-1: Oberhumer LZO Don, On Thu, Jun 26, 2014 at 02:37:47PM -0600, Don A. Bailey wrote: > I chose not to release the bug reports to the public within the timeframe > suggested by Solar for several reasons: > 1) I have deep visibility into the vulnerable code and understand the > constraints of exploitation and the breadth > 2) The public exposure was non-obvious, and was not advertised by the > vendor > 3) The most widely effected vendors (Linux and Oberhumer) had yet to > release a patch publicly > 4) The time between exposure and public release was short enough to > negative exposure Thank you for providing this reasoning. > My job, as I saw it, was to responsibly coordinate word between all > parties. I did that as best as I could given the teams, their time zones, > their understanding of the bug, and their speed. > > All in all, I think it worked out OK, and I am satisfied with the result > thus far. There are things that could have gone better, but over all each > team worked hard to produce solid patches in a reasonable time frame. We > hit that goal. I am also of the opinion that everyone did their best, and that's great. I think actual negative impact of the delay is small or non-existent. However, I felt we must have posted these additional comments on the disclosure process in here, because it deviated from what's normally expected for issues disclosed to the distros list: http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists "When the security issue is finally to be made public, it is your (the original reporter's) responsibility to post about it to oss-security (indeed, you and others may also post to any other mailing lists, etc.)" I am tempted to add "on the same day" after "to oss-security", since this is what we expect (and what usually happens), but there may be occasional exceptions like this, so maybe we leave the wording as-is? Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ