Re: Linux BlueBorne vulnerabilities

[Ben Seri <ben () armis com>]

Hi Alexander,

Our thought is that since these issues affect multi vendors that are using
Linux, the longer the embargo period, the better chance there is a
coordinated patch goes out to as many users as possible once the embargo is
lifted.

Armis Labs

On Fri, Sep 15, 2017 at 12:26 AM Solar Designer <solar () openwall com> wrote:

> On Thu, Sep 14, 2017 at 08:14:03PM +0000, Armis Security wrote:
> > On August 15th we have contacted one of the senior maintiners of BlueZ
> and
> > attempted to establish a longer embargo period with him. Unfortunatelly
> his
> > suggestion was to post our findings to linux-bluetooth () vger kernel org,
> > which is a public mailing list.
>
> While I understand you not wanting to post to a public mailing list
> right away, why exactly would you have wanted a longer embargo than e.g.
> linux-distros' maximum of 14 days?
>
> > So we decided to disclose our findings to the secure mailing list that
> > unfortunatelly only have a maximum of 7 days embargo periods.
>
> You're probably referring to the Linux kernel security list.  7 days
> sounds like a reasonable embargo period to me, but if you really wanted
> more, you could get up to 14 by first contacting linux-distros only, and
> then bringing the issue to the Linux kernel security list in no more
> than 7 days to the planned public disclosure.
>
> > I am happy to hear the red hat security team allows for longer embargo
> > periods, and we will contact you directly in the future.
>
> I hope you will only go for a longer embargo when there's actually a
> good reason for that.  There might or might not have been in this case.
>
> Alexander