Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 18 Jan 2018 18:21:27 +0100
From: Matthias Fetzer <admin@...l.cat>
To: oss-security@...ts.openwall.com
Subject: Re: How to deal with reporters who don't want their
 bugs fixed?

Hi Gynvael,

On 01/18/2018 06:06 PM, Gynvael Coldwind wrote:
> On the other hand there are reasons for embargoes which I don't find valid,
> where the examples you've given ("paper/conference presentation/patent
> submission") fall into this category.
> They don't sound as something that would benefit users' security (please
> correct me if I'm wrong) and I'm not a big fan of sitting on already
> discovered unpatched security bugs (in the end bug discovery might be a
> function of time for all we know).

Well. The result might be, that they will *not* report the vulnerability
at all, but publish their findings as a 0day at a conference. So the
users security highly benefits, if patches are available right
before/after/during the conference.

This is not the best case, but still better than unpatched, published 0days.

Best regards,
Matthias

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ