oss-sec mailing list archives
Re: How to deal with reporters who don't want their bugs fixed?
From: Yves-Alexis Perez <corsac () debian org>
Date: Thu, 18 Jan 2018 20:53:25 +0100
On Thu, 2018-01-18 at 18:21 +0100, Matthias Fetzer wrote:
Well. The result might be, that they will *not* report the vulnerability at all, but publish their findings as a 0day at a conference. So the users security highly benefits, if patches are available right before/after/during the conference. This is not the best case, but still better than unpatched, published 0days.
I'm also not a huge fan of embargoes for conferences. It did happen for Debian so we discussed that issues with the security researchers to make the fix happens rather sooner than later. One important thing, in my opinion, is that conferences should also encourage their speakers to actively coordinate with vendors in order for things to be fixed *before* and published either before or just for the conference. It might be wishful thinking but I'm not sure conferences organizers are really thrilled when a 0day is dumped right before the audience during the talk (pwn2own might be an exception though). Regards, -- Yves-Alexis
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- How to deal with reporters who don't want their bugs fixed? Florian Weimer (Jan 18)
- Re: How to deal with reporters who don't want their bugs fixed? Kurt Seifried (Jan 18)
- Re: How to deal with reporters who don't want their bugs fixed? Gynvael Coldwind (Jan 18)
- Re: How to deal with reporters who don't want their bugs fixed? Matthias Fetzer (Jan 18)
- Re: How to deal with reporters who don't want their bugs fixed? Yves-Alexis Perez (Jan 18)
- Re: How to deal with reporters who don't want their bugs fixed? Matthias Fetzer (Jan 18)
- Re: How to deal with reporters who don't want their bugs fixed? Ludovic Courtès (Jan 18)
- Re: How to deal with reporters who don't want their bugs fixed? Rich Felker (Jan 18)
- Re: How to deal with reporters who don't want their bugs fixed? Solar Designer (Jan 18)
- Re: How to deal with reporters who don't want their bugs fixed? Luedtke, Nicholas (Cyber Security) (Jan 18)
- Re: How to deal with reporters who don't want their bugs fixed? Solar Designer (Jan 18)
- Re: How to deal with reporters who don't want their bugs fixed? Nicholas Luedtke (Jan 19)
- Re: How to deal with reporters who don't want their bugs fixed? i (Jan 19)
- Re: How to deal with reporters who don't want their bugs fixed? Greg KH (Jan 19)
- Re: How to deal with reporters who don't want their bugs fixed? Igor Seletskiy (Jan 19)
- Re: How to deal with reporters who don't want their bugs fixed? Tavis Ormandy (Jan 20)
- Re: How to deal with reporters who don't want their bugs fixed? Luedtke, Nicholas (Cyber Security) (Jan 18)