Date: Fri, 24 Jul 2015 15:56:25 +0000 From: mancha <mancha1@...o.com> To: oss-security@...ts.openwall.com Cc: Qualys Security Advisory <qsa@...lys.com> Subject: Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser On Thu, Jul 23, 2015 at 08:43:43PM +0200, Leif Nixon wrote: > Qualys Security Advisory <qsa@...lys.com> writes: > > > Hello, it is July 23, 2015, 17:00 UTC, the Coordinated Release Date > > for CVE-2015-3245 and CVE-2015-3246. Please find our advisory > > below, and our exploit attached. > > *Why* are you releasing a full exploit just minutes after the patch is > released? > > (Disclosure: I am employed by Red Hat, but this is my purely personal > question.) > > -- Leif Nixon There was absolutely nothing wrong with Qualys' timing. When the embargo ends, it ends. The real problem is the underlying model: "responsible disclosure". It's nothing more than a CYA strategy that doesn't maximize the ecosystem's welfare. The positive-sounding name fools some into thinking it a good thing. --mancha [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ