Date: Sun, 17 Sep 2017 18:23:44 +0200 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Cc: Alexander Batischev <eual.jp@...il.com> Subject: Re: Podbeuter podcast fetcher: remote code execution On Sun, Sep 17, 2017 at 09:59:11AM -0600, Kurt Seifried wrote: > many orgs (probably not open source distros run by > volunteers, but more big corps) literally do have a clock start ticking > when a CVE comes to light I think that's not a reason to delay disclosing an issue to everyone else until there's a CVE ID. If those orgs have such poor, limited, or maybe cost-saving processes (saving on not needing to bother with issues lacking CVE IDs, no matter how serious), it's their problem and their users'. They deliberately put themselves at a competitive disadvantage. So be it. This only reaffirms me in my suggested approach: public disclosure first, CVE next. So those big corps will have a reason to fix the issues anyway, just with their self-imposed delay. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ