Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 27 Jul 2015 11:52:27 +0000
From: mancha <mancha1@...o.com>
To: oss-security@...ts.openwall.com
Cc: bperry.volatile@...il.com
Subject: Re: Qualys Security Advisory - CVE-2015-3245
 userhelper - CVE-2015-3246 libuser

On Fri, Jul 24, 2015 at 12:37:29PM -0500, Brandon Perry wrote:
> Prefer the term coordinated disclosure.
> 
> Sent from a phone
> 
> > On Jul 24, 2015, at 10:56 AM, mancha <mancha1@...o.com> wrote:
> > 
> >> On Thu, Jul 23, 2015 at 08:43:43PM +0200, Leif Nixon wrote: Qualys
> >> Security Advisory <qsa@...lys.com> writes:
> >> 
> >>> Hello, it is July 23, 2015, 17:00 UTC, the Coordinated Release
> >>> Date for CVE-2015-3245 and CVE-2015-3246.  Please find our
> >>> advisory below, and our exploit attached.
> >> 
> >> *Why* are you releasing a full exploit just minutes after the patch
> >> is released?
> >> 
> >> (Disclosure: I am employed by Red Hat, but this is my purely
> >> personal question.)
> >> 
> >> -- Leif Nixon
> > 
> > There was absolutely nothing wrong with Qualys' timing. When the
> > embargo ends, it ends.  
> > 
> > The real problem is the underlying model: "responsible disclosure".
> > It's nothing more than a CYA strategy that doesn't maximize the
> > ecosystem's welfare. The positive-sounding name fools some into
> > thinking it a good thing.
> > 
> > --mancha

Agreed. Coordinated disclosure is much more precise.

Also, it's judgment-free unlike the loaded term "responsible disclosure"
that implies alternative disclosure models like full disclosure are
irresponsible.

--mancha

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ