Date: Mon, 27 Jul 2015 11:52:27 +0000 From: mancha <mancha1@...o.com> To: oss-security@...ts.openwall.com Cc: bperry.volatile@...il.com Subject: Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser On Fri, Jul 24, 2015 at 12:37:29PM -0500, Brandon Perry wrote: > Prefer the term coordinated disclosure. > > Sent from a phone > > > On Jul 24, 2015, at 10:56 AM, mancha <mancha1@...o.com> wrote: > > > >> On Thu, Jul 23, 2015 at 08:43:43PM +0200, Leif Nixon wrote: Qualys > >> Security Advisory <qsa@...lys.com> writes: > >> > >>> Hello, it is July 23, 2015, 17:00 UTC, the Coordinated Release > >>> Date for CVE-2015-3245 and CVE-2015-3246. Please find our > >>> advisory below, and our exploit attached. > >> > >> *Why* are you releasing a full exploit just minutes after the patch > >> is released? > >> > >> (Disclosure: I am employed by Red Hat, but this is my purely > >> personal question.) > >> > >> -- Leif Nixon > > > > There was absolutely nothing wrong with Qualys' timing. When the > > embargo ends, it ends. > > > > The real problem is the underlying model: "responsible disclosure". > > It's nothing more than a CYA strategy that doesn't maximize the > > ecosystem's welfare. The positive-sounding name fools some into > > thinking it a good thing. > > > > --mancha Agreed. Coordinated disclosure is much more precise. Also, it's judgment-free unlike the loaded term "responsible disclosure" that implies alternative disclosure models like full disclosure are irresponsible. --mancha Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ