lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20041218042511.67598.qmail@cr.yp.to>
Date: 18 Dec 2004 04:25:11 -0000
From: "D. J. Bernstein" <djb@...yp.to>
To: bugtraq@...urityfocus.com
Subject: Re: DJB's students release 44 *nix software vulnerability advisories


Shu T. Messenger writes:
> In each case, Professor Bernstein notified the author of the
> vulnerable package on Dec 15 via e-mail. This mail hit Bugtraq on the
> 16th, giving one day for vendors to provide fixes.

Actually, I sent all of these notifications to the public securesoftware
mailing list (http://securesoftware.list.cr.yp.to) at the same time that
I sent them to the authors. It certainly wasn't my intention to give the
authors an extra day of self-delusion.

> Is the class on responsible disclosure next semester perhaps?

If you had bothered to look at the slides on the course web page, you
would have seen a half day dedicated to the topic, plus some examples on
subsequent days of how people react to full disclosure when they're
trying to protect their shoddy security practices.

The reason that the 16 students sent their 91 reports to me privately is
so that they wouldn't have to deal with people like you. It was entirely
my decision to send out these 44 public notices.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ