Date: Mon, 22 Jan 2018 11:41:56 -0800 From: Ian Zimmerman <itz@...y.loosely.org> To: oss-security@...ts.openwall.com Subject: Re: How to deal with reporters who don't want their bugs fixed? On 2018-01-22 17:20, Mikhail Utin wrote: >> Keeping it individual without public announced maximum embargo time >> would also help prevent folks from jumping to 0daying everything per >> default:) > However, to me it is pure "Security by Obscurity" in a bit different > wording. It never worked. Simply think that somebody else knows the > secret and with your help continues using that. I think you misunderstand the parent post. Nobody is proposing that the embargo period for any _particular_ issue be secret. The proposal in the parent post was to not have a public general embargo policy for _all_ issues present & future. -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. To reply privately _only_ on Usenet, fetch the TXT record for the domain.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ