Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180124030215.ugiofq23lmyurwsa@dojo.mi.org>
Date: Tue, 23 Jan 2018 22:02:15 -0500
From: "Mike O'Connor" <mjo@...o.mi.org>
To: oss-security@...ts.openwall.com
Subject: Re: How to deal with reporters who don't want their
 bugs fixed?

:Subject says it all: What do you do if you receive a vulnerability report,
:and the reporter requests an embargo at some time in the future because
:that's when their paper/conference presentation/patent submission is
:scheduled?
:
:The obvious approach is to find a prior public report of essentially the same
:bug and fix that (which will work surprisingly often), but let's assume that
:this isn't the case.

Well, does the embargo add value for the consumers of the product?
That had historically been my guideline, when I've had to make that
call.  Will it improve the fix, documentation, delivery mechanisms,
etc.  Sometimes, the answer is "yes".  Other times, not so much or
it's fairly indeterminate.  You don't always know all the facts, or
all the players, you're left with educated guessing.  

Sometimes, you can persuade researchers to a vendor-friendly point of
view on disclosure by simply asking them if they think this is in the
best interests of the users.  Other times, you work with someone who
cares more about adding a CVE and|or bounty to their resume, or they
are disingenuous or simply incapable of keeping secrets.

If there's evidence of open exploitation, all bets should be off and
that should be stated up front.  At that point, of course, it ceases
adding value.  An agreed disclosure date does not generally amount to
an NDA or the like.

-Mike

-- 
 Michael J. O'Connor                                          mjo@...o.mi.org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"The defendant pleaded exterminating circumstances."       -Anguished English

Download attachment "signature.asc" of type "application/pgp-signature" (188 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.