Re: Re: USBCreator D-Bus service

[Kurt Seifried <kseifried () redhat com>]

On 04/22/2015 07:34 PM, Marc Deslauriers wrote:
> On 2015-04-22 08:50 PM, Tavis Ormandy wrote:
> > On Wednesday, April 22, 2015, Seth Arnold <seth.arnold () canonical com> wrote:
> > > On Thu, Apr 23, 2015 at 03:04:23AM +0300, Solar Designer wrote:
> > > > Either way, it sounds weird to keep a low severity issue private.  Low
> > > > severity usually means not needing an embargo in the first place.  But I
> > > > guess it was the vendor's preference?
> > >
> > > In this case, no, Ubuntu would have preferred several days embargo for
> > > this issue. Hypothetically speaking, Monday would have been ideal, as
> > > we prefer to not release updates on Friday, Saturday, or Sunday.
> > >
> > > We treat local root escalation vulnerabilities with a high priority[1].
> >
> > I wish you had spoken up during the previous discussion. It was my
> > impression that embargoes for local privilege escalations were universally
> > considered deprecated.
>
> Nonsense, embargoes for local or remote privilege escalations are still
> considered to be high priority and should be handled with an embargo.

Please note that this is Ubuntu/Canonical speaking for themselves and
not on behalf of the entire distros list.


-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Attachment: signature.asc
Description: OpenPGP digital signature