oss-sec mailing list archives
Re: How to deal with reporters who don't want their bugs fixed?
From: Matthias Fetzer <admin () rofl cat>
Date: Thu, 18 Jan 2018 18:21:27 +0100
Hi Gynvael, On 01/18/2018 06:06 PM, Gynvael Coldwind wrote:
On the other hand there are reasons for embargoes which I don't find valid, where the examples you've given ("paper/conference presentation/patent submission") fall into this category. They don't sound as something that would benefit users' security (please correct me if I'm wrong) and I'm not a big fan of sitting on already discovered unpatched security bugs (in the end bug discovery might be a function of time for all we know).
Well. The result might be, that they will *not* report the vulnerability at all, but publish their findings as a 0day at a conference. So the users security highly benefits, if patches are available right before/after/during the conference. This is not the best case, but still better than unpatched, published 0days. Best regards, Matthias
Current thread:
- How to deal with reporters who don't want their bugs fixed? Florian Weimer (Jan 18)
- Re: How to deal with reporters who don't want their bugs fixed? Kurt Seifried (Jan 18)
- Re: How to deal with reporters who don't want their bugs fixed? Gynvael Coldwind (Jan 18)
- Re: How to deal with reporters who don't want their bugs fixed? Matthias Fetzer (Jan 18)
- Re: How to deal with reporters who don't want their bugs fixed? Yves-Alexis Perez (Jan 18)
- Re: How to deal with reporters who don't want their bugs fixed? Matthias Fetzer (Jan 18)
- Re: How to deal with reporters who don't want their bugs fixed? Ludovic Courtès (Jan 18)
- Re: How to deal with reporters who don't want their bugs fixed? Rich Felker (Jan 18)
- Re: How to deal with reporters who don't want their bugs fixed? Solar Designer (Jan 18)
- Re: How to deal with reporters who don't want their bugs fixed? Luedtke, Nicholas (Cyber Security) (Jan 18)
- Re: How to deal with reporters who don't want their bugs fixed? Solar Designer (Jan 18)
- Re: How to deal with reporters who don't want their bugs fixed? Nicholas Luedtke (Jan 19)
- Re: How to deal with reporters who don't want their bugs fixed? i (Jan 19)
- Re: How to deal with reporters who don't want their bugs fixed? Greg KH (Jan 19)
- Re: How to deal with reporters who don't want their bugs fixed? Igor Seletskiy (Jan 19)
- Re: How to deal with reporters who don't want their bugs fixed? Luedtke, Nicholas (Cyber Security) (Jan 18)