Date: Thu, 18 Jan 2018 20:53:25 +0100 From: Yves-Alexis Perez <corsac@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: How to deal with reporters who don't want their bugs fixed? On Thu, 2018-01-18 at 18:21 +0100, Matthias Fetzer wrote: > Well. The result might be, that they will *not* report the vulnerability > at all, but publish their findings as a 0day at a conference. So the > users security highly benefits, if patches are available right > before/after/during the conference. > > This is not the best case, but still better than unpatched, published 0days. I'm also not a huge fan of embargoes for conferences. It did happen for Debian so we discussed that issues with the security researchers to make the fix happens rather sooner than later. One important thing, in my opinion, is that conferences should also encourage their speakers to actively coordinate with vendors in order for things to be fixed *before* and published either before or just for the conference. It might be wishful thinking but I'm not sure conferences organizers are really thrilled when a 0day is dumped right before the audience during the talk (pwn2own might be an exception though). Regards, -- Yves-Alexis Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.