Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 18 Jan 2018 17:06:04 +0000
From: Gynvael Coldwind <gynvael@...dwind.pl>
To: oss-security@...ts.openwall.com
Subject: Re: How to deal with reporters who don't want their
 bugs fixed?

Hi there,

Speaking for myself from a security researcher's perspective, I would say
it depends on the reason for embargo, and what ends up protecting users
better.

There might be valid reasons for embargoes - one example (but not the only
one) is when a given bug affects multiple similar products, and a
disclosure on the side of one product would 0-day users using other
products. It sounds logical to wait until fixes are available before
disclosure (keeping in mind at the same time that a certain sane deadline
must be met too).

On the other hand there are reasons for embargoes which I don't find valid,
where the examples you've given ("paper/conference presentation/patent
submission") fall into this category.
They don't sound as something that would benefit users' security (please
correct me if I'm wrong) and I'm not a big fan of sitting on already
discovered unpatched security bugs (in the end bug discovery might be a
function of time for all we know).

In this case I would consider explaining this to the researcher and
proceeding with patching.
In the end if this causes a given person to report a known-to-them bug just
before a conference/etc it changes little vs. actually waiting for the
proposed just-before-conference/etc deadline anyway (if accepting the
embargo agreement that is).

Cheers,
Gynvael

On Thu, Jan 18, 2018 at 5:11 PM Florian Weimer <fweimer@...hat.com> wrote:

> Subject says it all: What do you do if you receive a vulnerability
> report, and the reporter requests an embargo at some time in the future
> because that's when their paper/conference presentation/patent
> submission is scheduled?
>
> The obvious approach is to find a prior public report of essentially the
> same bug and fix that (which will work surprisingly often), but let's
> assume that this isn't the case.
>
> Thanks,
> Florian
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.