oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [oCERT-2011-003] multiple implementations denial-of-service via hash algorithm collision

From: Solar Designer <solar () openwall com>
Date: Sun, 1 Jan 2012 10:24:23 +0400
On Thu, Dec 29, 2011 at 11:58:21PM +0100, Andrea Barisani wrote:

As stated in our timeline the embargo date was requested by reporters:
"2011-09-25: vulnerability report received, reporters set embargo date to December 27th"

Our disclosure policy also says:
"- in any circumstance reporter preference will always be honoured in case a
joint agreement is not reached, as oCERT would be anyway unable to force its
embargo"

We tried to negotiate an earlier embargo time as, obviously, many complained
about the unfortunate timing considering xmas holidays but the reporters really
wanted to release this after the CCC talk.

It is oCERT policy to not leak reports before the desired date set by the
reporters if a more favourable one is not agreed upon.

Hope this clarifies the exception.


It does (at least for me).  I just felt that this needed to be said.

Thank you!

Alexander
Previous By Date Next
Previous By Thread Next

Current thread: