[sldev] Viewer security vulnerability disclosure group

[Laurent Laborde]

On Wed, Dec 24, 2008 at 8:45 AM, Marine Kelley <marinekelley at gmail.com> wrote:

Hi !!

> - Creating an early disclosure list is not only a good idea, it's vital for
> a project of this size and popularity. Some viewers are immensely popular
> and the users expect their tool of choice to be up to date with the latest
> security fixes. When a fix is deployed, you can be sure that the official
> maintainers and publishers of each viewer, and not only the creators, get
> swarmed with alerts, requests and even demands from the users. So they have
> to be ready for when the information is revealed.

A limited early disclosure list is better than no disclosure at all.
The only people that really need a full understanding (and disclosure)
of the security hole are the developpers that can fix that hole.

But, if there is a workaround to avoid/minimuze the effect of the
security hole, then, it should be announced to everyone.

> - We can't rely on security through obfuscation. Therefore, not alerting the
> end users when a flaw is discovered only gives an advantage to the people
> who are already exploiting it, and in most cases it is a matter of hours
> between the discovery and the massive exploit.

It's not security through obfuscation.
a good exemple of security through obfuscation is the scrambling of
texture cache. :)

-- 
F4FQM
Kerunix Flan
Laurent Laborde