Re: Proper procedure for reporting possible security vulnerabilities?

[Jesper Juhl]

On Mon, 10 Jan 2005, Chris Wright wrote:

> * Jesper Juhl (juhl-lkml@xxxxxx) wrote:
> > On Mon, 10 Jan 2005, Steve Bergman wrote:
> > > Actually I am having a discussion with a Pax Team member about how the recent
> > > exploits discovered by the grsecurity guys should have been handled.  They
> > > clam that they sent email to Linus and Andrew and did not receive a response
> > > for 3 weeks, and that is why they released exploit code into the wild.
> > > 
> > > Anyone here have any comments on what I should tell him?
> > > 
> > I don't know what other people would do or what the general feeling on 
> > the list is, but personally I'd send such reports to the maintainer and 
> > CC lkml, if there is no maintainer I'd just send to lkml.
> 
> Problem is, the rest of the world uses a security contact for reporting
> security sensitive bugs to project maintainers and coordinating
> disclosures.  I think it would be good for the kernel to do that as well.
> 
Problem is that the info can then get stuck at a vendor or maintainer 
outside of public view and risk being mothballed. It also limits the 
number of people who can work on a solution (including peole getting to 
work on auditing other code for similar issues). It also prevents admins 
from taking alternative precautions prior to availability of a fix (you 
have to assume the bad guys already know of the bug, not just the good 
guys).

-- 
Jesper Juhl

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/