On 26/09/09 18:43, Damian Brasher wrote:
> When you first see this: "Linux Kernel 'sock_sendpage()' NULL Pointer
> Dereference Vulnerability" in an email or twitter it does not mean much at
> first glance.
>
> A simple model could be:
>
> 1) Security vulnerability found.
> 2) Developer(s) contacted privately before announcement is made public.
> 3) Developer fix privately forwarded to major vendors.
> 4) Major vendors generate patch and make it available.
> 5) Public announcement is made.
>
> I find it difficult to see the benefits of making a vulnerability public
> before contacting the developer at least. Should a large multi-national like
> Google be allowed to uncover an error then tell the whole world when it feels
> like it? Is that ethical? Could it be seen as an act of aggression?
>
Not all vulnerabilities are published immediately like this one. The
recent DNS issue was carefully coordinated to allow fixes to be in
place. However, even careful planning went wrong when someone leaked it :-
http://www.schneier.com/blog/archives/2008/07/the_dns_vulnera.html
I've posted on Julien Tinnes's blog asking why they didn't inform the
kernel maintainers first, as you would think anyone serious about
security would do.
--
--------------------------------------------------------------
Discover Linux - Open Source Solutions to Business and Schools
http://discoverlinux.co.uk
--------------------------------------------------------------
