Date: Wed, 29 Oct 2014 03:48:19 +0300 From: Alexander Cherepanov <cherepan@...me.ru> To: oss-security@...ts.openwall.com Subject: Re: list policy (Re: Truly scary SSL 3.0 vuln to be revealed soon:) On 2014-10-29 02:47, Kurt Seifried wrote: > On 28/10/14 07:47 AM, Alexander Cherepanov wrote: >> On 2014-10-15 12:30, Solar Designer wrote: >>> - Please don't send fully working exploits (but testcases that exercise >>> the flaw are welcome) >>> >>> FWIW, I've always been tempted to remove the latter guideline, >> >> Then perhaps just remove it? It always seemed to me a strange >> restriction. Other guidelines are either technical in nature or they are >> intended to reduce the amount of noise. This restriction seems to be >> neither. >> >> Of you can replace it with something like this: >> - Please only send fully working exploits which themselves are open-source. >> > Will someone/people vet the exploits to make sure they are not trojan > horses/self harming (e.g. the rm -rf * embedded in it somewhere?). > Strikes me as a heck of a watering hole attack potentially (and yes, > list members should know better, but ... yeah). This is an interesting question but how "fully working exploits" differ from "testcases that exercise the flaw" in this regard? -- Alexander Cherepanov
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ