Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 Oct 2014 17:47:04 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: list policy (Re: Truly scary SSL 3.0 vuln to be
 revealed soon:)

Will someone/people vet the exploits to make sure they are not trojan
horses/self harming (e.g. the rm -rf * embedded in it somewhere?).
Strikes me as a heck of a watering hole attack potentially (and yes,
list members should know better, but ... yeah).

On 28/10/14 07:47 AM, Alexander Cherepanov wrote:
> On 2014-10-15 12:30, Solar Designer wrote:
>> - Please don't send fully working exploits (but testcases that exercise
>> the flaw are welcome)
>>
>> FWIW, I've always been tempted to remove the latter guideline,
> 
> Then perhaps just remove it? It always seemed to me a strange
> restriction. Other guidelines are either technical in nature or they are
> intended to reduce the amount of noise. This restriction seems to be
> neither.
> 
> Of you can replace it with something like this:
> - Please only send fully working exploits which themselves are open-source.
> 

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ