reporter on deadline seeks comment about reported security bug
keramida at freebsd.org
Tue Sep 15 13:54:22 UTC 2009
On Tue, 15 Sep 2009 09:58:31 +0200, Przemyslaw Frasunek <przemyslaw at frasunek.com> wrote:
> Giorgos Keramidas wrote:
>> Przemyslaw should email security-officer with any details he thinks are
>> relevant. Then the security team will make sure to fix the bug for all
>> affected releases of FreeBSD, release a patch with the fix, issue an
>> advisory through the usual channels, and post the details online at our
>> security information web pages at <http://www.FreeBSD.org/security/>.
> I see that I received a lot of criticism after disclosing 6.4 vulnerability.
> Please read some facts:
> I send few mails: on 29th Aug to security team, on 2nd Sep and 11th Sep directly
> to security officer. None of them were responded. I haven't filled any PRs,
> because it would disclose details of vulnerability to the public and allow
> blackhats to exploit it.
> I won't publish anything more than video, before official security advisory. The
> exploit is private to me and it won't be given to the "community".
What I wrote is not criticism for what you have or might have not done.
I now know (after posting the initial message) that the security officer
is preparing a fix and an advisory, so my response was more like ``this
is the usual way of handling this sort of thing''. The wording was a
bit careful to avoid implying that you didn't know or were not prepared
to do what is appropriate :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20090915/5d704d3f/attachment.pgp
More information about the freebsd-questions