oss-sec mailing list archives
Re: Linux BlueBorne vulnerabilities
From: Solar Designer <solar () openwall com>
Date: Thu, 14 Sep 2017 23:26:38 +0200
On Thu, Sep 14, 2017 at 08:14:03PM +0000, Armis Security wrote:
On August 15th we have contacted one of the senior maintiners of BlueZ and attempted to establish a longer embargo period with him. Unfortunatelly his suggestion was to post our findings to linux-bluetooth () vger kernel org, which is a public mailing list.
While I understand you not wanting to post to a public mailing list right away, why exactly would you have wanted a longer embargo than e.g. linux-distros' maximum of 14 days?
So we decided to disclose our findings to the secure mailing list that unfortunatelly only have a maximum of 7 days embargo periods.
You're probably referring to the Linux kernel security list. 7 days sounds like a reasonable embargo period to me, but if you really wanted more, you could get up to 14 by first contacting linux-distros only, and then bringing the issue to the Linux kernel security list in no more than 7 days to the planned public disclosure.
I am happy to hear the red hat security team allows for longer embargo periods, and we will contact you directly in the future.
I hope you will only go for a longer embargo when there's actually a good reason for that. There might or might not have been in this case. Alexander
Current thread:
- Linux BlueBorne vulnerabilities Armis Security (Sep 13)
- Re: Linux BlueBorne vulnerabilities Petr Matousek (Sep 14)
- Re: Linux BlueBorne vulnerabilities Armis Security (Sep 14)
- Re: Linux BlueBorne vulnerabilities Solar Designer (Sep 14)
- Re: Linux BlueBorne vulnerabilities Ben Seri (Sep 15)
- Re: Linux BlueBorne vulnerabilities Solar Designer (Sep 15)
- Re: Linux BlueBorne vulnerabilities Ben Seri (Sep 15)
- Re: Linux BlueBorne vulnerabilities Solar Designer (Sep 27)
- Re: Linux BlueBorne vulnerabilities Armis Security (Sep 14)
- Re: Linux BlueBorne vulnerabilities Petr Matousek (Sep 14)