oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser

From: Brandon Perry <bperry.volatile () gmail com>
Date: Fri, 24 Jul 2015 12:37:29 -0500
Prefer the term coordinated disclosure.

Sent from a phone


On Jul 24, 2015, at 10:56 AM, mancha <mancha1 () zoho com> wrote:


On Thu, Jul 23, 2015 at 08:43:43PM +0200, Leif Nixon wrote:
Qualys Security Advisory <qsa () qualys com> writes:


Hello, it is July 23, 2015, 17:00 UTC, the Coordinated Release Date
for CVE-2015-3245 and CVE-2015-3246.  Please find our advisory
below, and our exploit attached.


*Why* are you releasing a full exploit just minutes after the patch is
released?

(Disclosure: I am employed by Red Hat, but this is my purely personal
question.)

-- Leif Nixon


There was absolutely nothing wrong with Qualys' timing. When the embargo
ends, it ends.  

The real problem is the underlying model: "responsible disclosure". It's
nothing more than a CYA strategy that doesn't maximize the ecosystem's
welfare. The positive-sounding name fools some into thinking it a good
thing.

--mancha
Previous By Date Next
Previous By Thread Next

Current thread: