> If you can't write it down, why would you expect it to be universal and enforceable?
replyand this is the problem. It used to be the case that if you were smart enough to find an exploit you were also smart enough to realise what would happen if you irresponsibly disclosed it. I guess these tools have made that pattern no longer apply.
From my point of view, they told the kernel security team which is in charge of fixing this. If it’s important for them to tell other people, then it should’ve been written down and further reiterated when they made their report.
replyThe skills to detect code exploits is not the same as the skills to navigate an informal org chart to the satisfaction of an amorphous audience if end users (i.e. us on HN).
That said… as they are a company that supposedly specializes in this field, and is trying to sell a product, I do believe they should do better. Right now, I don’t have much confidence in their product.
different cultures have different views on disclosing vulnerabilities to distros before the public?
replyYes :) The blackhatter would obviously sit on it until they can sell it or use it, the whitehatter collaborate the kernel and distros to patch, and the greyhatter argues on HN whether the latest *fail was responsible enough or not.
replyYes? "Different cultures" doesn't just mean different countries; there are many cultures within infosec.
replyThere is little difference in culture here. Nearly all open source work is done in English.
reply