Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20180118205843.GR1627@brightrain.aerifal.cx>
Date: Thu, 18 Jan 2018 15:58:43 -0500
From: Rich Felker <dalias@...c.org>
To: oss-security@...ts.openwall.com
Subject: Re: How to deal with reporters who don't want their
 bugs fixed?

On Thu, Jan 18, 2018 at 05:10:05PM +0100, Florian Weimer wrote:
> Subject says it all: What do you do if you receive a vulnerability
> report, and the reporter requests an embargo at some time in the
> future because that's when their paper/conference
> presentation/patent submission is scheduled?
> 
> The obvious approach is to find a prior public report of essentially
> the same bug and fix that (which will work surprisingly often), but
> let's assume that this isn't the case.

Assuming there is no good reason for the embargo (like coordination
with other affected parties), ignore the embargo, fix the bug, and
report the behavior to the conference. Conferences should adopt
policies not to host speakers who request that users be left
unprotected for any extended period for the sake of their own ego
trip.

Rich

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.