Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 24 Jul 2015 22:46:04 +0200
From: Leif Nixon <>
Subject: Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser

Martino Dell'Ambrogio <> writes:

> On 07/24/2015 11:47 AM, Leif Nixon wrote:
>> [...]
>> As I see it, there are two reasons for releasing working exploits
>> without warning;
>> 1) Forcing the hand of a non-responsive vendor,
>> 2) Stroking a weak ego by showing off. (Or for marketing, but that comes
>>    to the same thing.)
>> Except for case 1, releasing a working exploit *does not help anybody*
>> except the kiddies. If there are other reasons, I'd like to be told
>> about them.
>> If Qualys had released a slightly less detailed advisory, or even just
>> left off the actual exploit, and given users a day or two to patch their
>> systems before going full disclosure, the risk to innocent bystanders
>> would have been much reduced.
> Actually, releasing a working exploit helps our customers more often
> than not.
> In professional pentesting, proof of exploitation is essential.
> Most often than not, a real attacker will invest time and resources into
> a working exploit, the customer will not feel the need to invest into it
> just for simulation.

I may have been somewhat unclear; what I'm (very) upset about is the
release of a working exploit without giving the user community a
realistic chance to patch.

Leif Nixon
"supercomputer specialists are charming, polite [and] witty" -- Wired Magazine

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.