upvote

points

by tptacek16 hours ago |
comments
upvoteby ori_b14 hours ago|
next
[-]
Mind explaining how sitting on it a month after the patch landed is 'faster'? To my mind, that's a month where attackers could analyze commit logs, but maintainers are not acting with urgency to ship fixes.
reply
upvoteby tptacek14 hours ago|
parent|
[-]
No, I wouldn't, because my own preferences are towards immediate disclosure. Tavis Ormandy dropped Zenbleed out of the sky onto us. It wasn't comfortable, it was a scramble for us, but I don't blame Tavis for it; he made a principled call. Better that people know, than that information be concealed from them while designated elites perform a process.
reply
upvoteby ori_b14 hours ago|
parent|
[-]
I'd also prefer immediate disclosure, but I don't get how waiting a month without telling anyone is good regardless of which side you land on.
reply
upvoteby john_strinlai14 hours ago|
parent|
[-]
>I'd also prefer immediate disclosure

wait, what?

you are in another comment thread, of this very post, calling these reporters bumbling and incompetent for their disclosure. "merely bumblingly incompetent and overly eager to get their marketing pitch out the door" - that is your quote.

you also said "Basic care would involve making sure the patches had made it into the wild before ending the embargo", which is the literal opposite of immediate disclosure.

but now you are saying they should have just dropped it with no reporting at all? because that is what "immediate disclosure" means. pop up the exploit script on twitter and call it done.

reply
upvoteby ori_b6 hours ago|
parent|
[-]
Yes, if you release the vulnerability as soon as possible, that's a good choice. If you have an embargo and make sure that fixes get out to users in a timely manner before ending the embargo, that's also a reasonable choice.

If you're going wait a month between landing the patch (possibly notifying attackers), but not notify the people who may get the patch to users, it seems like something was mishandled.

reply
upvoteby throw0101a13 hours ago|
prev|
[-]
> No, you're in more pain, but other defenders with different postures benefit from having faster and fuller disclosure.

Good for them. But just because some folks cannot afford 24/7 response teams and on-call personnel that doesn't make them or their systems any less important.

Lots of non-profits and academic institutions had to scramble because of the Linux kernel team's position of non-communication to distros.

reply
upvoteby tptacek13 hours ago|
parent|
[-]
The conversation about how Linux handle these things is a good and worthy one to have and one "non-profits and academic institutions" need to have when they select distributions. I'm just here to push any of that scrutiny off the vulnerability reporters; Linux is lucky to have them, even if it's mishandling their reports. Vulnerability researchers don't owe these people anything.
reply