Date: Thu, 18 Jan 2018 18:21:27 +0100 From: Matthias Fetzer <admin@...l.cat> To: oss-security@...ts.openwall.com Subject: Re: How to deal with reporters who don't want their bugs fixed? Hi Gynvael, On 01/18/2018 06:06 PM, Gynvael Coldwind wrote: > On the other hand there are reasons for embargoes which I don't find valid, > where the examples you've given ("paper/conference presentation/patent > submission") fall into this category. > They don't sound as something that would benefit users' security (please > correct me if I'm wrong) and I'm not a big fan of sitting on already > discovered unpatched security bugs (in the end bug discovery might be a > function of time for all we know). Well. The result might be, that they will *not* report the vulnerability at all, but publish their findings as a 0day at a conference. So the users security highly benefits, if patches are available right before/after/during the conference. This is not the best case, but still better than unpatched, published 0days. Best regards, Matthias
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.