Reporting security vulnerability
Jeroen van Aart
jeroen at mompl.net
Fri Jun 7 20:51:55 CEST 2013
On 06/07/2013 03:50 AM, Steve Dodier-Lazaro wrote:
> I think you're being confused.
Thank you.
> It is a very common and logical practice to
> let developers write a fix before disclosing a bug that might yet have to
> be exploited, so that users have a protection available when disclosure
"Might yet" being a keyword. There is no guarantee no one else
discovered the bug and as such there is no guarantee there is no exploit
yet. I would want to know about a bug that could be exploited without
having to wait for the secrecy to clear up after a few weeks once a fix
has been implemented.
Knowledge about the bug also enables one to work around it, or avoid it
or remove the offending software.
Now you're just left in the blue what a report was all about,
potentially leaving systems exposed but having no way to easily do
something about it short of removing everything. Actually disclosing the
bug will be safer and give people a chance to avoid being exploited
right away.
You know your system is exploitable, however you do not know how. It's
like your doctor telling you you have a potentially fatal disease but
he's not telling you what it is until they found a medicine for it (if
ever). Sounds great. :-)
Greetings,
Jeroen
--
Earthquake Magnitude: 4.9
Date: Friday, June 7, 2013 15:39:39 UTC
Location: Samar, Philippines
Latitude: 12.0947; Longitude: 125.8808
Depth: 79.70 km
More information about the Xfce4-dev
mailing list