Reporting security vulnerability

Steve Dodier-Lazaro sidnioulz at gmail.com
Fri Jun 7 22:50:08 CEST 2013 

Jeroen (my apologies for mispelling your name in the previous email),

Security by obfuscation/obscurity consists of making the decision to hide
things instead of protecting them, forever. No further action is planned,
things are just hidden.

That Shuhao first makes sure to have the vulnerability disclosed to the
developers is no such thing. First, it does not mean that he will not
disclose it if we tell him "we don't care, it's not public so our users
won't know about our mistake". Second, zero-days are exploited by less
people than publicly disclosed bugs, for an obvious reason.

Cheers,


2013/6/7 Jeroen van Aart <jeroen at mompl.net>

> On 06/07/2013 03:50 AM, Steve Dodier-Lazaro wrote:
>
>> I think you're being confused.
>>
>
> Thank you.
>
>
>  It is a very common and logical practice to
>> let developers write a fix before disclosing a bug that might yet have to
>> be exploited, so that users have a protection available when disclosure
>>
>
> "Might yet" being a keyword. There is no guarantee no one else discovered
> the bug and as such there is no guarantee there is no exploit yet. I would
> want to know about a bug that could be exploited without having to wait for
> the secrecy to clear up after a few weeks once a fix has been implemented.
>
> Knowledge about the bug also enables one to work around it, or avoid it or
> remove the offending software.
>
> Now you're just left in the blue what a report was all about, potentially
> leaving systems exposed but having no way to easily do something about it
> short of removing everything. Actually disclosing the bug will be safer and
> give people a chance to avoid being exploited right away.
>
> You know your system is exploitable, however you do not know how. It's
> like your doctor telling you you have a potentially fatal disease but he's
> not telling you what it is until they found a medicine for it (if ever).
> Sounds great. :-)
>
> Greetings,
> Jeroen
>
> --
> Earthquake Magnitude: 4.9
> Date: Friday, June  7, 2013 15:39:39 UTC
> Location: Samar, Philippines
> Latitude: 12.0947; Longitude: 125.8808
> Depth: 79.70 km
>
> ______________________________**_________________
> Xfce4-dev mailing list
> Xfce4-dev at xfce.org
> https://mail.xfce.org/mailman/**listinfo/xfce4-dev<https://mail.xfce.org/mailman/listinfo/xfce4-dev>
>



-- 
Steve Dodier-Lazaro
PhD Student in Information Security
University College London
Free Software Developer
OpenPGP : 1B6B1670
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.xfce.org/pipermail/xfce4-dev/attachments/20130607/73c9c94d/attachment.html>

More information about the Xfce4-dev mailing list