Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20140627031007.GA26847@openwall.com>
Date: Fri, 27 Jun 2014 07:10:08 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: LMS-2014-06-16-1: Oberhumer LZO

Don,

On Thu, Jun 26, 2014 at 02:37:47PM -0600, Don A. Bailey wrote:
> I chose not to release the bug reports to the public within the timeframe
> suggested by Solar for several reasons:
>  1) I have deep visibility into the vulnerable code and understand the
> constraints of exploitation and the breadth
>  2) The public exposure was non-obvious, and was not advertised by the
> vendor
>  3) The most widely effected vendors (Linux and Oberhumer) had yet to
> release a patch publicly
>  4) The time between exposure and public release was short enough to
> negative exposure

Thank you for providing this reasoning.

> My job, as I saw it, was to responsibly coordinate word between all
> parties. I did that as best as I could given the teams, their time zones,
> their understanding of the bug, and their speed.
> 
> All in all, I think it worked out OK, and I am satisfied with the result
> thus far. There are things that could have gone better, but over all each
> team worked hard to produce solid patches in a reasonable time frame. We
> hit that goal.

I am also of the opinion that everyone did their best, and that's great.

I think actual negative impact of the delay is small or non-existent.
However, I felt we must have posted these additional comments on the
disclosure process in here, because it deviated from what's normally
expected for issues disclosed to the distros list:

http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists

"When the security issue is finally to be made public, it is your (the
original reporter's) responsibility to post about it to oss-security
(indeed, you and others may also post to any other mailing lists, etc.)"

I am tempted to add "on the same day" after "to oss-security", since
this is what we expect (and what usually happens), but there may be
occasional exceptions like this, so maybe we leave the wording as-is?

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.