Date: Tue, 15 Sep 2009 21:39:50 +0200 From: Mel Flynn <mel.flynn+fbsd.questions@mailing.thruhere.net> To: freebsd-questions@freebsd.org Subject: Re: reporter on deadline seeks comment about reported security bug in FreeBSD Message-ID: <200909152139.50403.mel.flynn%2Bfbsd.questions@mailing.thruhere.net> In-Reply-To: <20090915151425.4b6ce6f2@scorpio.seibercom.net> References: <4AAE95B2.5050409@sitpub.com> <200909152051.40695.mel.flynn%2Bfbsd.questions@mailing.thruhere.net> <20090915151425.4b6ce6f2@scorpio.seibercom.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 15 September 2009 21:14:25 Jerry wrote: > On Tue, 15 Sep 2009 20:51:40 +0200 > > Mel Flynn <mel.flynn+fbsd.questions@mailing.thruhere.net> wrote: > > The exception is > > when exploits are already in the wild and a work around is available, > > while a real fix will take more work. > Assume that I have discovered a vulnerability in a widely used, or even > marginal for arguments sake, program. I now start to exploit that > vulnerability. Now assume that you are responsible for maintaining, > that program. Use any job description that suits you for this purpose. > Are you claiming that since it may take several months to fix, it is > better to let users be exploited rather than inform them that there is > an exploitable problem in said software? I fine that extremely > disturbing. Then I suggest you cancel your internet account(s). Also, it helps to read what people are writing. But for the corner case where you are the person reporting me this vulnerability, telling me you won't exploit it, then do it anyway, there is no guard in place, other then that sooner or later, you'll compromise a machine administered by someone able to retrace what happened and it'll come back to me and I'd move up the timetable, cook up a work around and publish the details. There is some level of trust between reporter and fixer, whether it be good or bad, it's simply a fact of life and not likely to change. -- Mel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200909152139.50403.mel.flynn%2Bfbsd.questions>