Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 29 Jul 2015 22:16:57 +0200
From: z80 <z80@...ealchemy.be>
To: oss-security@...ts.openwall.com
Subject: Re: Qualys Security Advisory - CVE-2015-3245
 userhelper - CVE-2015-3246 libuser


Actually, the things is very simple:

- H4x0rz: Lose The Ego!
- H4x0rz: Lose The L33t Principles!

- H4x0rz: Use your Brain v1.0

What would Brain v1.0 have told you when thinking about releasing an
exploit at the same time than the patch...




On 24/07/2015 17:56, mancha wrote:
> On Thu, Jul 23, 2015 at 08:43:43PM +0200, Leif Nixon wrote:
>> Qualys Security Advisory <qsa@...lys.com> writes:
>>
>>> Hello, it is July 23, 2015, 17:00 UTC, the Coordinated Release Date
>>> for CVE-2015-3245 and CVE-2015-3246.  Please find our advisory
>>> below, and our exploit attached.
>>
>> *Why* are you releasing a full exploit just minutes after the patch is
>> released?
>>
>> (Disclosure: I am employed by Red Hat, but this is my purely personal
>> question.)
>>
>> -- Leif Nixon
> 
> There was absolutely nothing wrong with Qualys' timing. When the embargo
> ends, it ends.  
> 
> The real problem is the underlying model: "responsible disclosure". It's
> nothing more than a CYA strategy that doesn't maximize the ecosystem's
> welfare. The positive-sounding name fools some into thinking it a good
> thing.
> 
> --mancha
> 

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ