lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <41B5E846.2010602@osafoundation.org>
Date: Tue, 07 Dec 2004 09:28:38 -0800
From: Heikki Toivonen <heikki@...foundation.org>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: Re: [Advisory] Mozilla Products Remote Crash Vulnerability

Juergen Schmidt wrote:
> But this means, somebody (from mozilla) checked the urgency and decided,
> that it can wait. It would have been nice and a minimal effort to inform
> the initial reporter about that.

* Reported Tuesday 2004-11-30
* 10 hours later it receives first comment, asking for testcase since 
reporters site is unreachable
* On Friday, 3 days later, the reporter thinks he's been ignored
* On Monday, the bug receives second comment, pointing out it is not 
really a security issue and subsequently gets fixed. By this time it was 
also reported on Bugtraq.

So yeah, it would have been nice if somebody had reported immediately 
that it was not exploitable. But it did receive that comment 6 days 
later. (In contrast, even when security researchers report confirmed 
security issues they are often willing to wait for a week or more.)

Look at it from the developers perspective. They get a report about a 
crash where the reporter thinks it is a security issue. They check it 
out, and it turns out it is nothing serious, and probably think it can 
wait for a bit while they work on something more important.

I think it was good the reporter asked in the bug if he was ignored or 
not (because sometimes people do forget).

But posting about a security vulnerability to public lists in less than 
a week after report, without actually verifying that it really is a 
vulnerability? Come on. This will only get people annoyed at you.

> I do not see Niek claiming to be a security researcher. He stumbled

In that case, my apologies. Somehow I got the impression he was.

> What should he (or your mother) do, if mozilla is crashing on a
> particular web site? Shut up? Learn how to write a buffer overflow
> exploit before reporting it?

People should of course report all the bugs they see. But my point still 
stands - a bug report about a crash still does not get the same 
attention as a bug report about an exploit. If you can't show it is a 
potential security issue, please be a little more patient.

-- 
   Heikki Toivonen


Download attachment "signature.asc" of type "application/pgp-signature" (250 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ