Date: Tue, 23 Jan 2018 22:02:15 -0500 From: "Mike O'Connor" <mjo@...o.mi.org> To: oss-security@...ts.openwall.com Subject: Re: How to deal with reporters who don't want their bugs fixed? :Subject says it all: What do you do if you receive a vulnerability report, :and the reporter requests an embargo at some time in the future because :that's when their paper/conference presentation/patent submission is :scheduled? : :The obvious approach is to find a prior public report of essentially the same :bug and fix that (which will work surprisingly often), but let's assume that :this isn't the case. Well, does the embargo add value for the consumers of the product? That had historically been my guideline, when I've had to make that call. Will it improve the fix, documentation, delivery mechanisms, etc. Sometimes, the answer is "yes". Other times, not so much or it's fairly indeterminate. You don't always know all the facts, or all the players, you're left with educated guessing. Sometimes, you can persuade researchers to a vendor-friendly point of view on disclosure by simply asking them if they think this is in the best interests of the users. Other times, you work with someone who cares more about adding a CVE and|or bounty to their resume, or they are disingenuous or simply incapable of keeping secrets. If there's evidence of open exploitation, all bets should be off and that should be stated up front. At that point, of course, it ceases adding value. An agreed disclosure date does not generally amount to an NDA or the like. -Mike -- Michael J. O'Connor mjo@...o.mi.org =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "The defendant pleaded exterminating circumstances." -Anguished English Download attachment "signature.asc" of type "application/pgp-signature" (188 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ