oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Qualys Security Advisory - CVE-2015-3245 userhelper - CVE-2015-3246 libuser

From: z80 <z80 () bytealchemy be>
Date: Wed, 29 Jul 2015 22:16:57 +0200

Actually, the things is very simple:

- H4x0rz: Lose The Ego!
- H4x0rz: Lose The L33t Principles!

- H4x0rz: Use your Brain v1.0

What would Brain v1.0 have told you when thinking about releasing an
exploit at the same time than the patch...




On 24/07/2015 17:56, mancha wrote:

On Thu, Jul 23, 2015 at 08:43:43PM +0200, Leif Nixon wrote:

Qualys Security Advisory <qsa () qualys com> writes:


Hello, it is July 23, 2015, 17:00 UTC, the Coordinated Release Date
for CVE-2015-3245 and CVE-2015-3246.  Please find our advisory
below, and our exploit attached.


*Why* are you releasing a full exploit just minutes after the patch is
released?

(Disclosure: I am employed by Red Hat, but this is my purely personal
question.)

-- Leif Nixon


There was absolutely nothing wrong with Qualys' timing. When the embargo
ends, it ends.  

The real problem is the underlying model: "responsible disclosure". It's
nothing more than a CYA strategy that doesn't maximize the ecosystem's
welfare. The positive-sounding name fools some into thinking it a good
thing.

--mancha
Previous By Date Next
Previous By Thread Next

Current thread: