reporter on deadline seeks comment about reported security bug in FreeBSD

Jerry gesbbb at
Tue Sep 15 19:14:27 UTC 2009

On Tue, 15 Sep 2009 20:51:40 +0200
Mel Flynn <mel.flynn+fbsd.questions at> wrote:

> Please inform yourself properly before assuming you're right. Mozilla
> does not by default publish vulnerabilities before a fix is known. In
> some cases publishing has been delayed by months. The exception is
> when exploits are already in the wild and a work around is available,
> while a real fix will take more work.
> This is also why vulnerabilities are typically not disclosed till a
> fix is known, because it does not protect the typical user, but puts
> him in harms way, which is exactly what you don't want.
> In theory, if I know the details of this particular exploit, I can
> patch my 6.4 machines myself, but more realistically, if developers
> take all this time to come up with a solution that doesn't break
> functionality the chances that I and more casual users can do this
> are slim. Meanwhile, the exploit will be coded into the usual
> rootkits and internet scanners and casualties will be made. That
> doesn't help anyone.

Assume that I have discovered a vulnerability in a widely used, or even
marginal for arguments sake, program. I now start to exploit that
vulnerability. Now assume that you are responsible for maintaining,
that program. Use any job description that suits you for this purpose.
Are you claiming that since it may take several months to fix, it is
better to let users be exploited rather than inform them that there is
an exploitable problem in said software? I fine that extremely

As you can no doubt tell, I am not a believer in the "Ignorance is
bliss" theory.

gesbbb at

In the days of old,
When Knights were bold,
	And women were too cautious;
Oh, those gallant days,
When women were women,
	And men were really obnoxious.

More information about the freebsd-questions mailing list