Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 17 Sep 2017 18:23:44 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Alexander Batischev <eual.jp@...il.com>
Subject: Re: Podbeuter podcast fetcher: remote code execution

On Sun, Sep 17, 2017 at 09:59:11AM -0600, Kurt Seifried wrote:
> many orgs (probably not open source distros run by
> volunteers, but more big corps) literally do have a clock start ticking
> when a CVE comes to light

I think that's not a reason to delay disclosing an issue to everyone
else until there's a CVE ID.  If those orgs have such poor, limited, or
maybe cost-saving processes (saving on not needing to bother with issues
lacking CVE IDs, no matter how serious), it's their problem and their
users'.  They deliberately put themselves at a competitive disadvantage.
So be it.  This only reaffirms me in my suggested approach: public
disclosure first, CVE next.  So those big corps will have a reason to
fix the issues anyway, just with their self-imposed delay.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ