Date: Wed, 29 Jul 2015 22:16:57 +0200 From: z80 <z80@...ealchemy.be> To: oss-security@...ts.openwall.com Subject: Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Actually, the things is very simple: - H4x0rz: Lose The Ego! - H4x0rz: Lose The L33t Principles! - H4x0rz: Use your Brain v1.0 What would Brain v1.0 have told you when thinking about releasing an exploit at the same time than the patch... On 24/07/2015 17:56, mancha wrote: > On Thu, Jul 23, 2015 at 08:43:43PM +0200, Leif Nixon wrote: >> Qualys Security Advisory <qsa@...lys.com> writes: >> >>> Hello, it is July 23, 2015, 17:00 UTC, the Coordinated Release Date >>> for CVE-2015-3245 and CVE-2015-3246. Please find our advisory >>> below, and our exploit attached. >> >> *Why* are you releasing a full exploit just minutes after the patch is >> released? >> >> (Disclosure: I am employed by Red Hat, but this is my purely personal >> question.) >> >> -- Leif Nixon > > There was absolutely nothing wrong with Qualys' timing. When the embargo > ends, it ends. > > The real problem is the underlying model: "responsible disclosure". It's > nothing more than a CYA strategy that doesn't maximize the ecosystem's > welfare. The positive-sounding name fools some into thinking it a good > thing. > > --mancha >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ