Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <40a5c55e-aef3-f900-9ad1-5b2d9931a07e@rofl.cat>
Date: Thu, 18 Jan 2018 18:21:27 +0100
From: Matthias Fetzer <admin@...l.cat>
To: oss-security@...ts.openwall.com
Subject: Re: How to deal with reporters who don't want their
 bugs fixed?

Hi Gynvael,

On 01/18/2018 06:06 PM, Gynvael Coldwind wrote:
> On the other hand there are reasons for embargoes which I don't find valid,
> where the examples you've given ("paper/conference presentation/patent
> submission") fall into this category.
> They don't sound as something that would benefit users' security (please
> correct me if I'm wrong) and I'm not a big fan of sitting on already
> discovered unpatched security bugs (in the end bug discovery might be a
> function of time for all we know).

Well. The result might be, that they will *not* report the vulnerability
at all, but publish their findings as a 0day at a conference. So the
users security highly benefits, if patches are available right
before/after/during the conference.

This is not the best case, but still better than unpatched, published 0days.

Best regards,
Matthias

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.