upvote

points

by semiquaver20 hours ago |
comments
upvoteby ragall20 hours ago|
next
[-]
> that doesn’t entitle them to expect to be contacted directly by the reporter

Yes it does. That's how it's always been done and distros can ship a fix well before it ends up in a kernel release.

reply
upvoteby michaelmrose19 hours ago|
prev|
[-]
It is suggested that they out of an abundance of caution and 5 or 6 emails. If this is entirely to much to expect we can always help them by mandating that they spend 6 figures annually meeting a much more robust set of requirements that will include notifying all possible affected parties down to Hannah Montana Linux devs if any still exist.

Any strategy that assumes that the rest of the world is functional or makes you personally responsible for fixing all of it is equally broken but there is a reasonable middle ground and sending a few more emails lies within it

reply
upvoteby semiquaver19 hours ago|
parent|
[-]

  > we can always help them by mandating that they spend 6 figures
Who’s we? Mandate with what authority?

AWS and GCP are downstream another level. Should the reporter also have worked with them? And their customers? And the customers of their customers?

IMO this whole discussion seems like people are annoyed by the security researchers doing god’s work and wish they didn’t exist or think that they should be fully subservient to the projects and companies they are helping for free. The bugs were there before the researchers revealed them!!

reply