lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.58.0412071030280.25154@loki.ct.heise.de> From: ju at heisec.de (Juergen Schmidt) Subject: [Advisory] Mozilla Products Remote Crash Vulnerability On Mon, 6 Dec 2004, Heikki Toivonen wrote: > This crash was fixed today. Great. > This does not mean crashes will be ignored and will go unfixed. It just > means that they do not receive the urgency that exploitable crashes and > other vulnerabilities receive. But this means, somebody (from mozilla) checked the urgency and decided, that it can wait. It would have been nice and a minimal effort to inform the initial reporter about that. > As a security researcher, I would think it would be your responsibility > to determine the seriousness of an issue. Just saying an app crashes > does not make a security researcher IMO. Even my mom would be able to > report a simple crash. I do not see Niek claiming to be a security researcher. He stumbled into something, that might be a security problem and wanted to make sure, it is treated the right way. He first reported it to bugzilla and after not getting a response, published the information he gathered. What should he (or your mother) do, if mozilla is crashing on a particular web site? Shut up? Learn how to write a buffer overflow exploit before reporting it? bye, ju -- Juergen Schmidt Chefredakteur heise Security www.heisec.de Heise Zeitschriften Verlag, Helstorferstr. 7, D-30625 Hannover Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail ju@...sec.de GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970
Powered by blists - more mailing lists