oss-sec mailing list archives
Re: How to deal with reporters who don't want their bugs fixed?
From: "Mike O'Connor" <mjo () dojo mi org>
Date: Tue, 23 Jan 2018 22:02:15 -0500
:Subject says it all: What do you do if you receive a vulnerability report, :and the reporter requests an embargo at some time in the future because :that's when their paper/conference presentation/patent submission is :scheduled? : :The obvious approach is to find a prior public report of essentially the same :bug and fix that (which will work surprisingly often), but let's assume that :this isn't the case. Well, does the embargo add value for the consumers of the product? That had historically been my guideline, when I've had to make that call. Will it improve the fix, documentation, delivery mechanisms, etc. Sometimes, the answer is "yes". Other times, not so much or it's fairly indeterminate. You don't always know all the facts, or all the players, you're left with educated guessing. Sometimes, you can persuade researchers to a vendor-friendly point of view on disclosure by simply asking them if they think this is in the best interests of the users. Other times, you work with someone who cares more about adding a CVE and|or bounty to their resume, or they are disingenuous or simply incapable of keeping secrets. If there's evidence of open exploitation, all bets should be off and that should be stated up front. At that point, of course, it ceases adding value. An agreed disclosure date does not generally amount to an NDA or the like. -Mike -- Michael J. O'Connor mjo () dojo mi org =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "The defendant pleaded exterminating circumstances." -Anguished English
Attachment:
signature.asc
Description:
Current thread:
- Re: How to deal with reporters who don't want their bugs fixed?, (continued)
- Re: How to deal with reporters who don't want their bugs fixed? Greg KH (Jan 19)
- Re: How to deal with reporters who don't want their bugs fixed? Igor Seletskiy (Jan 19)
- Re: How to deal with reporters who don't want their bugs fixed? Tavis Ormandy (Jan 20)
- Re: How to deal with reporters who don't want their bugs fixed? Florian Weimer (Jan 20)
- Re: How to deal with reporters who don't want their bugs fixed? r . hering (Jan 22)
- Re: How to deal with reporters who don't want their bugs fixed? Mikhail Utin (Jan 22)
- Re: How to deal with reporters who don't want their bugs fixed? Ian Zimmerman (Jan 22)
- Re: Re: How to deal with reporters who don't want their bugs fixed? Tristan Henning (Jan 22)
- Re: How to deal with reporters who don't want their bugs fixed? Solar Designer (Jan 26)
- Re: How to deal with reporters who don't want their bugs fixed? Stiepan (Jan 26)
- Re: How to deal with reporters who don't want their bugs fixed? Solar Designer (Jan 26)
- Re: How to deal with reporters who don't want their bugs fixed? Mikhail Utin (Jan 26)
- Re: How to deal with reporters who don't want their bugs fixed? Solar Designer (Jan 26)
- Re: How to deal with reporters who don't want their bugs fixed? halfdog (Jan 27)
- Re: How to deal with reporters who don't want their bugs fixed? Stiepan (Jan 27)