Date: Thu, 18 Jan 2018 15:58:43 -0500 From: Rich Felker <dalias@...c.org> To: oss-security@...ts.openwall.com Subject: Re: How to deal with reporters who don't want their bugs fixed? On Thu, Jan 18, 2018 at 05:10:05PM +0100, Florian Weimer wrote: > Subject says it all: What do you do if you receive a vulnerability > report, and the reporter requests an embargo at some time in the > future because that's when their paper/conference > presentation/patent submission is scheduled? > > The obvious approach is to find a prior public report of essentially > the same bug and fix that (which will work surprisingly often), but > let's assume that this isn't the case. Assuming there is no good reason for the embargo (like coordination with other affected parties), ignore the embargo, fix the bug, and report the behavior to the conference. Conferences should adopt policies not to host speakers who request that users be left unprotected for any extended period for the sake of their own ego trip. Rich
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ