Re: thoughts on kernel security issues

[Dave Jones]

On Thu, Jan 13, 2005 at 08:42:46PM +0100, Marek Habersack wrote:
 > On Thu, Jan 13, 2005 at 03:36:27PM +0000, Alan Cox scribbled:
 > > On Mer, 2005-01-12 at 17:42, Marcelo Tosatti wrote:
 > > > The kernel security list must be higher in hierarchy than vendorsec.
 > > > 
 > > > Any information sent to vendorsec must be sent immediately for the kernel
 > > > security list and discussed there.
 > > 
 > > We cannot do this without the reporters permission. Often we get
 > I think I don't understand that. A reporter doesn't "own" the bug - not the
 > copyright, not the code, so how come they can own the fix/report?

Security researchers are an odd bunch. They're very attached to their
bugs in the sense they want to be the ones who get the glory for
having reported it.

As soon as bugs start getting forwarded around between lists, the
potential for leaks increases greatly. The recent fiasco surrounding
one of the isec.pl holes was believed to have been caused due to
someone 'sniffing upstream' for example.

When issues get leaked, the incentive for a researcher to use the
same process again goes away, which hurts us.  Basically, trying
to keep them happy is in our best interests.

		Dave

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/