Date: Thu, 18 Jan 2018 18:21:27 +0100 From: Matthias Fetzer <admin@...l.cat> To: oss-security@...ts.openwall.com Subject: Re: How to deal with reporters who don't want their bugs fixed? Hi Gynvael, On 01/18/2018 06:06 PM, Gynvael Coldwind wrote: > On the other hand there are reasons for embargoes which I don't find valid, > where the examples you've given ("paper/conference presentation/patent > submission") fall into this category. > They don't sound as something that would benefit users' security (please > correct me if I'm wrong) and I'm not a big fan of sitting on already > discovered unpatched security bugs (in the end bug discovery might be a > function of time for all we know). Well. The result might be, that they will *not* report the vulnerability at all, but publish their findings as a 0day at a conference. So the users security highly benefits, if patches are available right before/after/during the conference. This is not the best case, but still better than unpatched, published 0days. Best regards, Matthias
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ