From: Gianluca S. <gi...@gm...> - 2008-05-11 21:46:23
|
On Sat, May 10, 2008 at 7:21 PM, Patrick Schoenfeld <sch...@in...> wrote: > So lets say the following: > 2.1 Mike opens a bug in the Debian bug tracker with detailled > information on how the bug can be exported > 2.2 Mike informs security focus or alike with the issue > 2.3 Mike informs the mantis team > Mike can choose to do so, knowingly creating a zero day attack vector; at that point of course I agree that keeping the bug private is a nonsense. However, I think the "responsible disclosure" method I described is a better alternative and allows to lower the impact of security issues to end users. For example, right now I'm working on a security issue we were notified few days ago; the issue is not yet public (at least, AFAIK) and I don't think revealing the details now will serve any purpose. For the records, the only "problem" I had with Fedora's security team was the lack of proper CVE records for solved security issues, which they promptly created. |