Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 1 Jan 2012 10:24:23 +0400
From: Solar Designer <solar@...nwall.com>
To: Andrea Barisani <lcars@...rt.org>
Cc: oss-security@...ts.openwall.com
Subject: Re: [oCERT-2011-003] multiple implementations denial-of-service via hash algorithm collision

On Thu, Dec 29, 2011 at 11:58:21PM +0100, Andrea Barisani wrote:
> As stated in our timeline the embargo date was requested by reporters:
> "2011-09-25: vulnerability report received, reporters set embargo date to December 27th"
> 
> Our disclosure policy also says:
> "- in any circumstance reporter preference will always be honoured in case a
> joint agreement is not reached, as oCERT would be anyway unable to force its
> embargo"
> 
> We tried to negotiate an earlier embargo time as, obviously, many complained
> about the unfortunate timing considering xmas holidays but the reporters really
> wanted to release this after the CCC talk.
> 
> It is oCERT policy to not leak reports before the desired date set by the
> reporters if a more favourable one is not agreed upon.
> 
> Hope this clarifies the exception.

It does (at least for me).  I just felt that this needed to be said.

Thank you!

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.