|
Message-ID: <1516305205.23740.8.camel@debian.org>
Date: Thu, 18 Jan 2018 20:53:25 +0100
From: Yves-Alexis Perez <corsac@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: How to deal with reporters who don't want their
bugs fixed?
On Thu, 2018-01-18 at 18:21 +0100, Matthias Fetzer wrote:
> Well. The result might be, that they will *not* report the vulnerability
> at all, but publish their findings as a 0day at a conference. So the
> users security highly benefits, if patches are available right
> before/after/during the conference.
>
> This is not the best case, but still better than unpatched, published 0days.
I'm also not a huge fan of embargoes for conferences. It did happen for Debian
so we discussed that issues with the security researchers to make the fix
happens rather sooner than later.
One important thing, in my opinion, is that conferences should also encourage
their speakers to actively coordinate with vendors in order for things to be
fixed *before* and published either before or just for the conference. It
might be wishful thinking but I'm not sure conferences organizers are really
thrilled when a 0day is dumped right before the audience during the talk
(pwn2own might be an exception though).
Regards,
--
Yves-Alexis
Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.