oss-sec mailing list archives
Re: Podbeuter podcast fetcher: remote code execution
From: Solar Designer <solar () openwall com>
Date: Sun, 17 Sep 2017 18:23:44 +0200
On Sun, Sep 17, 2017 at 09:59:11AM -0600, Kurt Seifried wrote:
many orgs (probably not open source distros run by volunteers, but more big corps) literally do have a clock start ticking when a CVE comes to light
I think that's not a reason to delay disclosing an issue to everyone else until there's a CVE ID. If those orgs have such poor, limited, or maybe cost-saving processes (saving on not needing to bother with issues lacking CVE IDs, no matter how serious), it's their problem and their users'. They deliberately put themselves at a competitive disadvantage. So be it. This only reaffirms me in my suggested approach: public disclosure first, CVE next. So those big corps will have a reason to fix the issues anyway, just with their self-imposed delay. Alexander
Current thread:
- Podbeuter podcast fetcher: remote code execution Alexander Batischev (Sep 16)
- Re: Podbeuter podcast fetcher: remote code execution Solar Designer (Sep 16)
- Re: Podbeuter podcast fetcher: remote code execution Alexander Batischev (Sep 17)
- Re: Podbeuter podcast fetcher: remote code execution Solar Designer (Sep 17)
- Re: Podbeuter podcast fetcher: remote code execution Kurt Seifried (Sep 17)
- Re: Podbeuter podcast fetcher: remote code execution Solar Designer (Sep 17)
- Re: Podbeuter podcast fetcher: remote code execution Kurt Seifried (Sep 17)
- Re: Podbeuter podcast fetcher: remote code execution Alexander Batischev (Sep 17)
- Re: Podbeuter podcast fetcher: remote code execution Solar Designer (Sep 16)