Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 20 Jan 2018 21:18:25 +0100
From: Florian Weimer <fweimer@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: How to deal with reporters who don't want their
 bugs fixed?

On 01/18/2018 10:21 PM, Solar Designer wrote:
> On Thu, Jan 18, 2018 at 05:10:05PM +0100, Florian Weimer wrote:
>> Subject says it all: What do you do if you receive a vulnerability
>> report, and the reporter requests an embargo at some time in the future
>> because that's when their paper/conference presentation/patent
>> submission is scheduled?
> 
> I think it's best for your project (I guess glibc?) to prominently
> publish near the security contact address a maximum embargo time you'd
> (be likely to) agree to.  That's what security at kernel.org does
> (7 days) and what we do with (linux-)distros (14 days).

I would prefer to be flexible in case something truly awful happens.

Your perspective is skewed because people know that you have a 
preference for short embargoes, so at least I tell people to make sure 
that they have a final patch before contacting the distros list.  Then a 
week or two is probably enough in most cases.  Without a patch, not so much.

On the other hand, it is near impossible to develop quality solutions 
under long embargoes.  We tried that in 2008 and largely failed.  The 
GCC stack checking improvements wouldn't be available today if there had 
been an indefinite, multi-party embargo (we have an aarch64 
implementation which still hasn't been merged upstream).  And a more 
recent attempt yielded few durable results as well.

It also looks like that some reporters see embargoes as a kind of 
validation for their work.  Everyone loves their first embargoes.

> That way, it's
> less important for you to judge whether the reason for embargo is
> valid/altruistic or bogus/selfish - a sane maximum embargo time
> minimizes the damage to all parties either way.

That's not really true.  Depending on the nature of the vulnerability, 
there can be a lot of work before we're confident that we can ship an 
update.  We have some rather bad code out there, with very little or no 
test coverage, and if we modify such code, we really need to make sure 
that users receive a net improvement.  (For example, we thought we had 
the final patch for a DNS stub resolver issue, but it turned out very 
late that it had a crippling memory leak.)

Thanks,
Florian

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.