Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 26 Jun 2014 21:15:05 -0600
From: "Don A. Bailey" <donb@...uritymouse.com>
To: oss-security@...ts.openwall.com
Subject: Re: LMS-2014-06-16-1: Oberhumer LZO

Totally understand. Not a problem at all, I thought I should just offer my
perspective for this list, as they were not on the Linux kernel thread, nor
the distros thread. :-)

I'm very happy to hear you agree that negative impact was minimal.

D



On Thu, Jun 26, 2014 at 9:10 PM, Solar Designer <solar@...nwall.com> wrote:

> Don,
>
> On Thu, Jun 26, 2014 at 02:37:47PM -0600, Don A. Bailey wrote:
> > I chose not to release the bug reports to the public within the timeframe
> > suggested by Solar for several reasons:
> >  1) I have deep visibility into the vulnerable code and understand the
> > constraints of exploitation and the breadth
> >  2) The public exposure was non-obvious, and was not advertised by the
> > vendor
> >  3) The most widely effected vendors (Linux and Oberhumer) had yet to
> > release a patch publicly
> >  4) The time between exposure and public release was short enough to
> > negative exposure
>
> Thank you for providing this reasoning.
>
> > My job, as I saw it, was to responsibly coordinate word between all
> > parties. I did that as best as I could given the teams, their time zones,
> > their understanding of the bug, and their speed.
> >
> > All in all, I think it worked out OK, and I am satisfied with the result
> > thus far. There are things that could have gone better, but over all each
> > team worked hard to produce solid patches in a reasonable time frame. We
> > hit that goal.
>
> I am also of the opinion that everyone did their best, and that's great.
>
> I think actual negative impact of the delay is small or non-existent.
> However, I felt we must have posted these additional comments on the
> disclosure process in here, because it deviated from what's normally
> expected for issues disclosed to the distros list:
>
>
> http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists
>
> "When the security issue is finally to be made public, it is your (the
> original reporter's) responsibility to post about it to oss-security
> (indeed, you and others may also post to any other mailing lists, etc.)"
>
> I am tempted to add "on the same day" after "to oss-security", since
> this is what we expect (and what usually happens), but there may be
> occasional exceptions like this, so maybe we leave the wording as-is?
>
> Alexander
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.