Re: Proper procedure for reporting possible security vulnerabilities?

From: Chris Wright
Date: Tue Jan 11 2005 - 13:16:41 EST


* Jesper Juhl (juhl-lkml@xxxxxx) wrote:
> On Mon, 10 Jan 2005, Chris Wright wrote:
> > Problem is, the rest of the world uses a security contact for reporting
> > security sensitive bugs to project maintainers and coordinating
> > disclosures. I think it would be good for the kernel to do that as well.
> >
> Problem is that the info can then get stuck at a vendor or maintainer
> outside of public view and risk being mothballed. It also limits the
> number of people who can work on a solution (including peole getting to
> work on auditing other code for similar issues). It also prevents admins
> from taking alternative precautions prior to availability of a fix (you
> have to assume the bad guys already know of the bug, not just the good
> guys).

That's not quite the case. The point of having a security contact is to
help coordinate timely public disclosure, not to sit on and mothball
info. In most projects it turns out to be helpful.

thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/