reporter on deadline seeks comment about reported security bug
mel.flynn+fbsd.questions at mailing.thruhere.net
Tue Sep 15 19:39:53 UTC 2009
On Tuesday 15 September 2009 21:14:25 Jerry wrote:
> On Tue, 15 Sep 2009 20:51:40 +0200
> Mel Flynn <mel.flynn+fbsd.questions at mailing.thruhere.net> wrote:
> > The exception is
> > when exploits are already in the wild and a work around is available,
> > while a real fix will take more work.
> Assume that I have discovered a vulnerability in a widely used, or even
> marginal for arguments sake, program. I now start to exploit that
> vulnerability. Now assume that you are responsible for maintaining,
> that program. Use any job description that suits you for this purpose.
> Are you claiming that since it may take several months to fix, it is
> better to let users be exploited rather than inform them that there is
> an exploitable problem in said software? I fine that extremely
Then I suggest you cancel your internet account(s). Also, it helps to read
what people are writing.
But for the corner case where you are the person reporting me this
vulnerability, telling me you won't exploit it, then do it anyway, there is no
guard in place, other then that sooner or later, you'll compromise a machine
administered by someone able to retrace what happened and it'll come back to
me and I'd move up the timetable, cook up a work around and publish the
There is some level of trust between reporter and fixer, whether it be good or
bad, it's simply a fact of life and not likely to change.
More information about the freebsd-questions