Dailydave mailing list archives

Re: there might be three people who missed it...

From: Jon Oberheide <jon () oberheide org>
Date: Thu, 22 Jul 2010 19:34:46 -0400

On Thu, 2010-07-22 at 10:13 -0700, Michal Zalewski wrote:

...so FYI:

http://googleonlinesecurity.blogspot.com/2010/07/rebooting-responsible-disclosure-focus.html


This brings up an interesting question I had related to cross-vendor
responsible disclosure when I came across a comment from Chris regarding
the recent libpng vulnerability in Chrome:

http://code.google.com/p/chromium/issues/detail?id=45983#c17

(I'm not reproducing the comment here since it's worth reading it in the
full context of the bug)

It's certainly a tricky issue: how does Google balance the secret
disclosure (via an innocent-sounding Chrome commit/update) of a
vulnerability that may help protect _Google's_ users (eg. Chrome users)
while potentially adversely affecting users of other vendors (when
attackers RE the update and attack unpatched browsers)?

/me grabs popcorn.


/me brought the sour patch kids and frozen cokes.

Regards,
Jon Oberheide

-- 
Jon Oberheide <jon () oberheide org>
GnuPG Key: 1024D/F47C17FE
Fingerprint: B716 DA66 8173 6EDD 28F6  F184 5842 1C89 F47C 17FE

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

there might be three people who missed it... Michal Zalewski (Jul 22)
- Re: there might be three people who missed it... Jon Oberheide (Jul 22)