Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 20 Jan 2018 10:57:27 -0800
From: Tavis Ormandy <>
Subject: Re: How to deal with reporters who don't want their
 bugs fixed?

On Fri, Jan 19, 2018 at 6:04 AM, Igor Seletskiy <> wrote:
> Hi Greg,
> I am sure you are right, as you were in the epicenter of it and saw things
> happening. More than that -- I am really thankful to a group of people who
> worked on fixing it for months to get us where we are. Don't get me wrong -
> in no way, I am blaming anyone.
> Yet, KAISER patch & especially patch from AMD to the mailing list created a
> lot of rumors, that I believe forced earlier disclosure -- because things
> got into 'semi-public' state.
> I might be wrong, I don't have all the info, and I am sure that people who
> were at the center of it have a better understanding of what & why happened.

A better example would be shellshock, a patch was developed in private
under embargo, but as soon as the details were public it was obvious
the patch was incomplete. When it was finally public, we were able to
analyze the problem and develop a real solution - the embargo did
nothing but needlessly delay that process.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.