oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to deal with reporters who don't want their bugs fixed?

From: Matthias Fetzer <admin () rofl cat>
Date: Thu, 18 Jan 2018 18:21:27 +0100
Hi Gynvael,

On 01/18/2018 06:06 PM, Gynvael Coldwind wrote:

On the other hand there are reasons for embargoes which I don't find valid,
where the examples you've given ("paper/conference presentation/patent
submission") fall into this category.
They don't sound as something that would benefit users' security (please
correct me if I'm wrong) and I'm not a big fan of sitting on already
discovered unpatched security bugs (in the end bug discovery might be a
function of time for all we know).


Well. The result might be, that they will *not* report the vulnerability
at all, but publish their findings as a 0day at a conference. So the
users security highly benefits, if patches are available right
before/after/during the conference.

This is not the best case, but still better than unpatched, published 0days.

Best regards,
Matthias
Previous By Date Next
Previous By Thread Next

Current thread: