linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Alan Cox <alan@lxorguk.ukuu.org.uk>
To: Jesper Juhl <juhl-lkml@dif.dk>
Cc: Chris Wright <chrisw@osdl.org>, Steve Bergman <steve@rueb.com>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: Proper procedure for reporting possible security vulnerabilities?
Date: Tue, 11 Jan 2005 16:39:23 +0000	[thread overview]
Message-ID: <1105461562.16168.46.camel@localhost.localdomain> (raw)
In-Reply-To: <Pine.LNX.4.61.0501111758290.3368@dragon.hygekrogen.localhost>

On Maw, 2005-01-11 at 17:05, Jesper Juhl wrote:
> Problem is that the info can then get stuck at a vendor or maintainer 
> outside of public view and risk being mothballed. It also limits the 
> number of people who can work on a solution (including peole getting to 
> work on auditing other code for similar issues). It also prevents admins 
> from taking alternative precautions prior to availability of a fix (you 
> have to assume the bad guys already know of the bug, not just the good 
> guys).

The evidence is that for the most part the bad guys don't know about the
bug and the majority of the bad guys are not skilled enough to write
some of the complex exploits. They also automate extensively so given an
exploit can make very fast very effective use of it. There is an entire
field of economics and game theory tied up in this as well as papers by
some in the field who look at computer security models this way.

If you are a member of the full disclosure camp then fine, but please cc
vendor-sec when you publish the hole just in case Linus loses the email
and so vendors know too and can plan appropriately.

Alan


  reply	other threads:[~2005-01-11 17:59 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-01-10 16:46 Steve Bergman
2005-01-10 18:23 ` Indrek Kruusa
2005-01-10 19:24 ` Alan Cox
2005-01-11  9:32   ` Florian Weimer
2005-01-10 21:31 ` Florian Weimer
2005-01-10 21:42   ` Steve Bergman
2005-01-10 22:08     ` Diego Calleja
2005-01-11  0:19       ` Barry K. Nathan
2005-01-11  0:45         ` Diego Calleja
2005-01-11  9:35         ` Florian Weimer
2005-01-11 16:57         ` Jesper Juhl
2005-01-11 17:05           ` Jan Engelhardt
2005-01-10 22:09     ` linux-os
2005-01-11  0:44       ` Barry K. Nathan
2005-01-10 22:11     ` Jesper Juhl
2005-01-11  0:40       ` Chris Wright
2005-01-11  1:09         ` Diego Calleja
2005-01-11  1:18           ` Chris Wright
2005-01-11 17:05         ` Jesper Juhl
2005-01-11 16:39           ` Alan Cox [this message]
2005-01-11 21:25             ` Jesper Juhl
2005-01-11 21:29               ` Chris Wright
2005-01-12 21:05                 ` Jesper Juhl
2005-01-17 22:49                 ` Werner Almesberger
2005-01-17 22:52                   ` Chris Wright
2005-01-17 23:23                     ` Christoph Hellwig
2005-01-17 23:26                       ` Chris Wright
2005-01-17 23:57                         ` Alan Cox
2005-01-18  1:08                           ` Chris Wright
2005-01-11 17:57           ` Chris Wright
2005-01-12 12:23           ` Florian Weimer
2005-01-11  9:49       ` Florian Weimer
2005-01-11 16:10     ` Alan Cox
2005-01-12 12:33       ` Florian Weimer
2005-01-13 15:36         ` Alan Cox
     [not found] <200501101959.j0AJxUvl032294@laptop11.inf.utfsm.cl>
2005-01-10 21:36 ` Indrek Kruusa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1105461562.16168.46.camel@localhost.localdomain \
    --to=alan@lxorguk.ukuu.org.uk \
    --cc=chrisw@osdl.org \
    --cc=juhl-lkml@dif.dk \
    --cc=linux-kernel@vger.kernel.org \
    --cc=steve@rueb.com \
    --subject='Re: Proper procedure for reporting possible security vulnerabilities?' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).