reporter on deadline seeks comment about reported security bug in FreeBSD

Mel Flynn mel.flynn+fbsd.questions at
Tue Sep 15 19:39:53 UTC 2009

On Tuesday 15 September 2009 21:14:25 Jerry wrote:
> On Tue, 15 Sep 2009 20:51:40 +0200
> Mel Flynn <mel.flynn+fbsd.questions at> wrote:

> > The exception is
> > when exploits are already in the wild and a work around is available,
> > while a real fix will take more work.

> Assume that I have discovered a vulnerability in a widely used, or even
> marginal for arguments sake, program. I now start to exploit that
> vulnerability. Now assume that you are responsible for maintaining,
> that program. Use any job description that suits you for this purpose.
> Are you claiming that since it may take several months to fix, it is
> better to let users be exploited rather than inform them that there is
> an exploitable problem in said software? I fine that extremely
> disturbing.

Then I suggest you cancel your internet account(s). Also, it helps to read 
what people are writing.

But for the corner case where you are the person reporting me this 
vulnerability, telling me you won't exploit it, then do it anyway, there is no 
guard in place, other then that sooner or later, you'll compromise a machine 
administered by someone able to retrace what happened and it'll come back to 
me and I'd move up the timetable, cook up a work around and publish the 
There is some level of trust between reporter and fixer, whether it be good or 
bad, it's simply a fact of life and not likely to change.

More information about the freebsd-questions mailing list