Reporting security vulnerability

Jeroen van Aart jeroen at
Fri Jun 7 20:51:55 CEST 2013

On 06/07/2013 03:50 AM, Steve Dodier-Lazaro wrote:
> I think you're being confused.

Thank you.

> It is a very common and logical practice to
> let developers write a fix before disclosing a bug that might yet have to
> be exploited, so that users have a protection available when disclosure

"Might yet" being a keyword. There is no guarantee no one else 
discovered the bug and as such there is no guarantee there is no exploit 
yet. I would want to know about a bug that could be exploited without 
having to wait for the secrecy to clear up after a few weeks once a fix 
has been implemented.

Knowledge about the bug also enables one to work around it, or avoid it 
or remove the offending software.

Now you're just left in the blue what a report was all about, 
potentially leaving systems exposed but having no way to easily do 
something about it short of removing everything. Actually disclosing the 
bug will be safer and give people a chance to avoid being exploited 
right away.

You know your system is exploitable, however you do not know how. It's 
like your doctor telling you you have a potentially fatal disease but 
he's not telling you what it is until they found a medicine for it (if 
ever). Sounds great. :-)


Earthquake Magnitude: 4.9
Date: Friday, June  7, 2013 15:39:39 UTC
Location: Samar, Philippines
Latitude: 12.0947; Longitude: 125.8808
Depth: 79.70 km

More information about the Xfce4-dev mailing list