Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 26 Jan 2018 20:15:03 +0100
From: Solar Designer <>
Subject: Re: How to deal with reporters who don't want their bugs fixed?

On Fri, Jan 26, 2018 at 05:48:14PM +0000, Mikhail Utin wrote:
> I 100% agree with Solar's response. We should not limit our freedom to choose how we will handle our intellectual property. That is how I read the original statements below.

Oh, so-called "intellectual property".  I'm not thinking in such terms.

What I meant is that projects expecting to receive vulnerability reports
are not to be obliged by some industry standard to impose any specific
rules on the reporters.  This does mean that, among other things, those
projects do not have to insist on a maximum embargo time (even though I
advocate that they do), and as a side-effect this might assist someone
probably selfish with monetization of so-called "intellectual property".

Basically, you saw what you wanted to see.  Yes, it's kind of there, but
it wasn't in focus.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.