Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser

[mancha <mancha1 () zoho com>]

On Fri, Jul 24, 2015 at 12:37:29PM -0500, Brandon Perry wrote:
> Prefer the term coordinated disclosure.
>
> Sent from a phone
>
> > On Jul 24, 2015, at 10:56 AM, mancha <mancha1 () zoho com> wrote:
> >
> > > On Thu, Jul 23, 2015 at 08:43:43PM +0200, Leif Nixon wrote: Qualys
> > > Security Advisory <qsa () qualys com> writes:
> > >
> > > > Hello, it is July 23, 2015, 17:00 UTC, the Coordinated Release
> > > > Date for CVE-2015-3245 and CVE-2015-3246.  Please find our
> > > > advisory below, and our exploit attached.
> > >
> > > *Why* are you releasing a full exploit just minutes after the patch
> > > is released?
> > >
> > > (Disclosure: I am employed by Red Hat, but this is my purely
> > > personal question.)
> > >
> > > -- Leif Nixon
> >
> > There was absolutely nothing wrong with Qualys' timing. When the
> > embargo ends, it ends.  
> >
> > The real problem is the underlying model: "responsible disclosure".
> > It's nothing more than a CYA strategy that doesn't maximize the
> > ecosystem's welfare. The positive-sounding name fools some into
> > thinking it a good thing.
> >
> > --mancha

Agreed. Coordinated disclosure is much more precise.

Also, it's judgment-free unlike the loaded term "responsible disclosure"
that implies alternative disclosure models like full disclosure are
irresponsible.

--mancha

Attachment: _bin
Description: