Dailydave mailing list archives
Re: there might be three people who missed it...
From: Jon Oberheide <jon () oberheide org>
Date: Thu, 22 Jul 2010 19:34:46 -0400
On Thu, 2010-07-22 at 10:13 -0700, Michal Zalewski wrote:
...so FYI: http://googleonlinesecurity.blogspot.com/2010/07/rebooting-responsible-disclosure-focus.html
This brings up an interesting question I had related to cross-vendor responsible disclosure when I came across a comment from Chris regarding the recent libpng vulnerability in Chrome: http://code.google.com/p/chromium/issues/detail?id=45983#c17 (I'm not reproducing the comment here since it's worth reading it in the full context of the bug) It's certainly a tricky issue: how does Google balance the secret disclosure (via an innocent-sounding Chrome commit/update) of a vulnerability that may help protect _Google's_ users (eg. Chrome users) while potentially adversely affecting users of other vendors (when attackers RE the update and attack unpatched browsers)?
/me grabs popcorn.
/me brought the sour patch kids and frozen cokes. Regards, Jon Oberheide -- Jon Oberheide <jon () oberheide org> GnuPG Key: 1024D/F47C17FE Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- there might be three people who missed it... Michal Zalewski (Jul 22)
- Re: there might be three people who missed it... Jon Oberheide (Jul 22)