Reporting security vulnerability

Jeroen van Aart jeroen at
Fri Jun 7 01:38:52 CEST 2013

On 06/06/2013 02:37 PM, Justin R. Andrusk wrote:
> I do wonder if this would get the same level of classification that a like security vulnerability in Ubuntu would get. Process should be the same. Report it as a bug without giving the details in the bug report. You may even want to submit a patch yourself if you can.

It's a bad idea to hide security vulnerabilities.
Security through obscurity is worse than no security at all.

"Security through obscurity has never achieved engineering acceptance as 
an approach to securing a system, as it contradicts the principle of 
"keeping it simple". The United States National Institute of Standards 
and Technology (NIST) specifically recommends against security through 
obscurity in more than one document. Quoting from one, "System security 
should not depend on the secrecy of the implementation or its 



Earthquake Magnitude: 4.4
Date: Thursday, June  6, 2013 16:15:33 UTC
Location: Hokkaido, Japan region
Latitude: 43.2374; Longitude: 143.8740
Depth: 15.80 km

More information about the Xfce4-dev mailing list