Date: Tue, 28 Oct 2014 17:47:04 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: list policy (Re: Truly scary SSL 3.0 vuln to be revealed soon:) Will someone/people vet the exploits to make sure they are not trojan horses/self harming (e.g. the rm -rf * embedded in it somewhere?). Strikes me as a heck of a watering hole attack potentially (and yes, list members should know better, but ... yeah). On 28/10/14 07:47 AM, Alexander Cherepanov wrote: > On 2014-10-15 12:30, Solar Designer wrote: >> - Please don't send fully working exploits (but testcases that exercise >> the flaw are welcome) >> >> FWIW, I've always been tempted to remove the latter guideline, > > Then perhaps just remove it? It always seemed to me a strange > restriction. Other guidelines are either technical in nature or they are > intended to reduce the amount of noise. This restriction seems to be > neither. > > Of you can replace it with something like this: > - Please only send fully working exploits which themselves are open-source. > -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ