Re: Proper procedure for reporting possible security vulnerabilities?

[Jesper Juhl]

On Tue, 11 Jan 2005, Chris Wright wrote:

> * Jesper Juhl (juhl-lkml@xxxxxx) wrote:
> > 
> > This thread got started by a question about how to go about informing 
> > people about security vulnerabilities so I think we should erhaps try to 
> > provide some sensible information about how to go about that that can be 
> > useful to people no matter what "disclosure camp" the agree with. How 
> > about something like what I've written below as an addition to 
> > REPORTING-BUGS or as a seperate REPORTING-SECURITY-BUGS document ?
> 
> Let's just bite the bullet...
> 
No value in providing some info on what's the apreciated behaviour for 
both the coordinated disclosure and full disclosure people of the world? 
Both camps are going to continue to exist, and if you only provide 
information on the prefered aproach for coordinated disclosure then you 
have even less influence on how the full disclosure camp will spread the 
info - if you provide some info for them as well, at least some are going 
to follow it and then more of the proper kernel people will get notified 
at once instead of finding out later via other channels. I still think 
adding something along the lines of what I wrote to REPORTING-BUGS has 
merrit.


-- 
Jesper Juhl


PS. Linus, adding you to CC since you're involved in the new thread on 
more or less the same topic, so I thought you might be interrested in this 
thread as well.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/