Re: Proper procedure for reporting possible security vulnerabilities?

From: Florian Weimer
Date: Wed Jan 12 2005 - 07:25:26 EST

Next message: Prakash K. Cheemplavam: "Re: LIRC for Infra Red port."
Previous message: Rajsekar: "Re: Complete commentary on kernel code needed"
In reply to: Chris Wright: "Re: Proper procedure for reporting possible security vulnerabilities?"
Next in thread: Florian Weimer: "Re: Proper procedure for reporting possible security vulnerabilities?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Jesper Juhl:

> Problem is that the info can then get stuck at a vendor or maintainer
> outside of public view and risk being mothballed.

The submitter can go public anyway. Most coordinators do not require
signing NDAs for submitters (some require them from software authors,
though).

A designated security contact would give submitters a choice: either
go public directly, or try something else first. And believe, some
vulnerabilities really need a tested fix which is published at the
time of disclosure (death by single packet, for example).
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Prakash K. Cheemplavam: "Re: LIRC for Infra Red port."
Previous message: Rajsekar: "Re: Complete commentary on kernel code needed"
In reply to: Chris Wright: "Re: Proper procedure for reporting possible security vulnerabilities?"
Next in thread: Florian Weimer: "Re: Proper procedure for reporting possible security vulnerabilities?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]