oss-sec mailing list archives
Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser
From: mancha <mancha1 () zoho com>
Date: Mon, 27 Jul 2015 11:52:27 +0000
On Fri, Jul 24, 2015 at 12:37:29PM -0500, Brandon Perry wrote:
Prefer the term coordinated disclosure. Sent from a phoneOn Jul 24, 2015, at 10:56 AM, mancha <mancha1 () zoho com> wrote:On Thu, Jul 23, 2015 at 08:43:43PM +0200, Leif Nixon wrote: Qualys Security Advisory <qsa () qualys com> writes:Hello, it is July 23, 2015, 17:00 UTC, the Coordinated Release Date for CVE-2015-3245 and CVE-2015-3246. Please find our advisory below, and our exploit attached.*Why* are you releasing a full exploit just minutes after the patch is released? (Disclosure: I am employed by Red Hat, but this is my purely personal question.) -- Leif NixonThere was absolutely nothing wrong with Qualys' timing. When the embargo ends, it ends. The real problem is the underlying model: "responsible disclosure". It's nothing more than a CYA strategy that doesn't maximize the ecosystem's welfare. The positive-sounding name fools some into thinking it a good thing. --mancha
Agreed. Coordinated disclosure is much more precise. Also, it's judgment-free unlike the loaded term "responsible disclosure" that implies alternative disclosure models like full disclosure are irresponsible. --mancha
Attachment:
_bin
Description:
Current thread:
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser, (continued)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Joshua Rogers (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Leif Nixon (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Brad Knowles (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Leif Nixon (Jul 25)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Michal Zalewski (Jul 25)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Dave Horsfall (Jul 25)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Brad Knowles (Jul 25)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Hanno Böck (Jul 26)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Brandon Perry (Jul 24)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser mancha (Jul 27)
- Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser Ankeet Presswala (Jul 27)