From: Jesper Juhl <juhl-lkml@dif.dk>
To: Chris Wright <chrisw@osdl.org>
Cc: Jesper Juhl <juhl-lkml@dif.dk>, Steve Bergman <steve@rueb.com>,
linux-kernel@vger.kernel.org
Subject: Re: Proper procedure for reporting possible security vulnerabilities?
Date: Tue, 11 Jan 2005 18:05:05 +0100 (CET) [thread overview]
Message-ID: <Pine.LNX.4.61.0501111758290.3368@dragon.hygekrogen.localhost> (raw)
In-Reply-To: <20050110164001.Q469@build.pdx.osdl.net>
On Mon, 10 Jan 2005, Chris Wright wrote:
> * Jesper Juhl (juhl-lkml@dif.dk) wrote:
> > On Mon, 10 Jan 2005, Steve Bergman wrote:
> > > Actually I am having a discussion with a Pax Team member about how the recent
> > > exploits discovered by the grsecurity guys should have been handled. They
> > > clam that they sent email to Linus and Andrew and did not receive a response
> > > for 3 weeks, and that is why they released exploit code into the wild.
> > >
> > > Anyone here have any comments on what I should tell him?
> > >
> > I don't know what other people would do or what the general feeling on
> > the list is, but personally I'd send such reports to the maintainer and
> > CC lkml, if there is no maintainer I'd just send to lkml.
>
> Problem is, the rest of the world uses a security contact for reporting
> security sensitive bugs to project maintainers and coordinating
> disclosures. I think it would be good for the kernel to do that as well.
>
Problem is that the info can then get stuck at a vendor or maintainer
outside of public view and risk being mothballed. It also limits the
number of people who can work on a solution (including peole getting to
work on auditing other code for similar issues). It also prevents admins
from taking alternative precautions prior to availability of a fix (you
have to assume the bad guys already know of the bug, not just the good
guys).
--
Jesper Juhl
next prev parent reply other threads:[~2005-01-11 17:05 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-10 16:46 Proper procedure for reporting possible security vulnerabilities? Steve Bergman
2005-01-10 18:23 ` Indrek Kruusa
2005-01-10 19:24 ` Alan Cox
2005-01-11 9:32 ` Florian Weimer
2005-01-10 21:31 ` Florian Weimer
2005-01-10 21:42 ` Steve Bergman
2005-01-10 22:08 ` Diego Calleja
2005-01-11 0:19 ` Barry K. Nathan
2005-01-11 0:45 ` Diego Calleja
2005-01-11 9:35 ` Florian Weimer
2005-01-11 16:57 ` Jesper Juhl
2005-01-11 17:05 ` Jan Engelhardt
2005-01-10 22:09 ` linux-os
2005-01-11 0:44 ` Barry K. Nathan
2005-01-10 22:11 ` Jesper Juhl
2005-01-11 0:40 ` Chris Wright
2005-01-11 1:09 ` Diego Calleja
2005-01-11 1:18 ` Chris Wright
2005-01-11 17:05 ` Jesper Juhl [this message]
2005-01-11 16:39 ` Alan Cox
2005-01-11 21:25 ` Jesper Juhl
2005-01-11 21:29 ` Chris Wright
2005-01-12 21:05 ` Jesper Juhl
2005-01-17 22:49 ` Werner Almesberger
2005-01-17 22:52 ` Chris Wright
2005-01-17 23:23 ` Christoph Hellwig
2005-01-17 23:26 ` Chris Wright
2005-01-17 23:57 ` Alan Cox
2005-01-18 1:08 ` Chris Wright
2005-01-11 17:57 ` Chris Wright
2005-01-12 12:23 ` Florian Weimer
2005-01-11 9:49 ` Florian Weimer
2005-01-11 16:10 ` Alan Cox
2005-01-12 12:33 ` Florian Weimer
2005-01-13 15:36 ` Alan Cox
[not found] <200501101959.j0AJxUvl032294@laptop11.inf.utfsm.cl>
2005-01-10 21:36 ` Indrek Kruusa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.61.0501111758290.3368@dragon.hygekrogen.localhost \
--to=juhl-lkml@dif.dk \
--cc=chrisw@osdl.org \
--cc=linux-kernel@vger.kernel.org \
--cc=steve@rueb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).