Date: Fri, 24 Jul 2015 23:03:20 +1000 From: Joshua Rogers <oss@...ernot.info> To: oss-security@...ts.openwall.com Subject: Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser On 24/07/15 22:15, Martino Dell'Ambrogio wrote: > Moreover, as soon as systems can be patched, they should be. > Of course a few hours delay is not realistic, but I want to be sure that > everyone understands how much "releasing a working exploit *does not > help anybody*" is false. > > I urge researchers to continue to release their exploits into the public > domain. > Do it "responsibly", maybe get help in order to do it correctly, but do > it, because it's beneficial more than harmful to any potential target. I concur. The releasing of PoC's are very important, for many reasons. It allows, as stated, the ability to pentest a system efficiently. I think in this case, it is inappropriate for a PoC to be released on the same day as the updates being pushed. As everybody knows, there are a lot of hacked boxes on the internet. Now someguy that has a botnet of local-users will be able to mass root all the boxes while the owners sleep, because they have been given no warning at all about this.. Even if 48 hours was waited before the PoC was released, it would be much better. That's just my 2cents anyways. Thanks, -- -- Joshua Rogers <https://internot.info/> [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ