Reporting security vulnerability
Jeroen van Aart
jeroen at mompl.net
Fri Jun 7 01:38:52 CEST 2013
On 06/06/2013 02:37 PM, Justin R. Andrusk wrote:
> I do wonder if this would get the same level of classification that a like security vulnerability in Ubuntu would get. Process should be the same. Report it as a bug without giving the details in the bug report. You may even want to submit a patch yourself if you can.
It's a bad idea to hide security vulnerabilities.
Security through obscurity is worse than no security at all.
http://en.wikipedia.org/wiki/Security_through_obscurity
"Security through obscurity has never achieved engineering acceptance as
an approach to securing a system, as it contradicts the principle of
"keeping it simple". The United States National Institute of Standards
and Technology (NIST) specifically recommends against security through
obscurity in more than one document. Quoting from one, "System security
should not depend on the secrecy of the implementation or its
components."[1]"
[1] http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf
Greetings,
Jeroen
--
Earthquake Magnitude: 4.4
Date: Thursday, June 6, 2013 16:15:33 UTC
Location: Hokkaido, Japan region
Latitude: 43.2374; Longitude: 143.8740
Depth: 15.80 km
More information about the Xfce4-dev
mailing list