| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <EB1A6A7DCB06804195592EF1716F15B501A525E3@rgaexmail.rgare.com> From: SMoyer at rgare.com (Moyer, Shawn) Subject: it's all about timing Comments inline. cc: to that "other" list deleted. > Sure, HP's response has been harsh. But every security problem > (especially when it's accompanied by an exploit) should be reported > first to the vendor! There should be no exception from this rule. The > person doing the reporting should give the vendor a > reasonable period of > time to fix it; say, a few weeks or so. > > Only if the vendor does nothing in these weeks, only then the > report/exploit/whatever should be made public. Riiight.... Great. But according to the (now-yanked) CNet article, Snosoft started talked to HP *this spring*, and HP sat on their hands. So, if the vendor gets several months notice, does exactly jack squat, and then the vuln. leaks somehow, who do you blame? As Paul S. pointed out, nothing is black and white, it's all just shades of grey. Me, I blame the vendor. For fsck's sake, this thing works with a no-exec stack! How sad is that? And these dorks wanted months and months to fix it? Who do they think they are, ISC? [ ^_^ ] Sure, it shouldn't have leaked, but exactly how long *were* they going to let every OSF/1 box out there be a sitting duck? At least now I know to chmod 750 /bin/su and chown it root:wheel (a good practice anyway). --shawn
Powered by blists - more mailing lists