Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 24 Jul 2015 11:47:31 +0200
From: Leif Nixon <>
Subject: Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser

Philip Pettersson <> writes:

> On Fri, Jul 24, 2015 at 3:43 AM, Leif Nixon <> wrote:
>> Qualys Security Advisory <> writes:
>>> Hello, it is July 23, 2015, 17:00 UTC, the Coordinated Release Date for
>>> CVE-2015-3245 and CVE-2015-3246.  Please find our advisory below, and
>>> our exploit attached.
>> *Why* are you releasing a full exploit just minutes after the patch is
>> released?
>> (Disclosure: I am employed by Red Hat, but this is my purely personal question.)
> That's how coordinated release dates work. Instead of trying to shame
> Qualys for not following your arbitrary views on what is and isn't
> "Responsible Disclosure", perhaps you should make sure Red Hat
> releases patches hours before the CRD, like Ubuntu does?

Oh, hi there.

My views are not very arbitrary; rather they are based on years of
trying to defend big infrastructures.

As I see it, there are two reasons for releasing working exploits
without warning;

1) Forcing the hand of a non-responsive vendor,

2) Stroking a weak ego by showing off. (Or for marketing, but that comes
   to the same thing.)

Except for case 1, releasing a working exploit *does not help anybody*
except the kiddies. If there are other reasons, I'd like to be told
about them.

If Qualys had released a slightly less detailed advisory, or even just
left off the actual exploit, and given users a day or two to patch their
systems before going full disclosure, the risk to innocent bystanders
would have been much reduced.

Leif Nixon
"supercomputer specialists are charming, polite [and] witty" -- Wired Magazine

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ