From: Alan Cox <firstname.lastname@example.org> To: Jesper Juhl <email@example.com> Cc: Chris Wright <firstname.lastname@example.org>, Steve Bergman <email@example.com>, Linux Kernel Mailing List <firstname.lastname@example.org> Subject: Re: Proper procedure for reporting possible security vulnerabilities? Date: Tue, 11 Jan 2005 16:39:23 +0000 [thread overview] Message-ID: <email@example.com> (raw) In-Reply-To: <Pine.LNX.firstname.lastname@example.org> On Maw, 2005-01-11 at 17:05, Jesper Juhl wrote: > Problem is that the info can then get stuck at a vendor or maintainer > outside of public view and risk being mothballed. It also limits the > number of people who can work on a solution (including peole getting to > work on auditing other code for similar issues). It also prevents admins > from taking alternative precautions prior to availability of a fix (you > have to assume the bad guys already know of the bug, not just the good > guys). The evidence is that for the most part the bad guys don't know about the bug and the majority of the bad guys are not skilled enough to write some of the complex exploits. They also automate extensively so given an exploit can make very fast very effective use of it. There is an entire field of economics and game theory tied up in this as well as papers by some in the field who look at computer security models this way. If you are a member of the full disclosure camp then fine, but please cc vendor-sec when you publish the hole just in case Linus loses the email and so vendors know too and can plan appropriately. Alan
next prev parent reply other threads:[~2005-01-11 17:59 UTC|newest] Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top 2005-01-10 16:46 Steve Bergman 2005-01-10 18:23 ` Indrek Kruusa 2005-01-10 19:24 ` Alan Cox 2005-01-11 9:32 ` Florian Weimer 2005-01-10 21:31 ` Florian Weimer 2005-01-10 21:42 ` Steve Bergman 2005-01-10 22:08 ` Diego Calleja 2005-01-11 0:19 ` Barry K. Nathan 2005-01-11 0:45 ` Diego Calleja 2005-01-11 9:35 ` Florian Weimer 2005-01-11 16:57 ` Jesper Juhl 2005-01-11 17:05 ` Jan Engelhardt 2005-01-10 22:09 ` linux-os 2005-01-11 0:44 ` Barry K. Nathan 2005-01-10 22:11 ` Jesper Juhl 2005-01-11 0:40 ` Chris Wright 2005-01-11 1:09 ` Diego Calleja 2005-01-11 1:18 ` Chris Wright 2005-01-11 17:05 ` Jesper Juhl 2005-01-11 16:39 ` Alan Cox [this message] 2005-01-11 21:25 ` Jesper Juhl 2005-01-11 21:29 ` Chris Wright 2005-01-12 21:05 ` Jesper Juhl 2005-01-17 22:49 ` Werner Almesberger 2005-01-17 22:52 ` Chris Wright 2005-01-17 23:23 ` Christoph Hellwig 2005-01-17 23:26 ` Chris Wright 2005-01-17 23:57 ` Alan Cox 2005-01-18 1:08 ` Chris Wright 2005-01-11 17:57 ` Chris Wright 2005-01-12 12:23 ` Florian Weimer 2005-01-11 9:49 ` Florian Weimer 2005-01-11 16:10 ` Alan Cox 2005-01-12 12:33 ` Florian Weimer 2005-01-13 15:36 ` Alan Cox [not found] <200501101959.j0AJxUvl032294@laptop11.inf.utfsm.cl> 2005-01-10 21:36 ` Indrek Kruusa
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --subject='Re: Proper procedure for reporting possible security vulnerabilities?' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).