[sldev] Viewer security vulnerability disclosure group

[Gordon Wendt]

On Fri, Dec 26, 2008 at 1:09 PM, Rob Lanphier <robla at lindenlab.com> wrote:


> Option 3:  Linden Lab only discloses vulnerabilities when a patch a fix
> is available (no early disclosure group).


 I think that is the best option.  As soon as LL has a fix release a patch
as well as a full disclosure of what the vulnerability is/was, how it was
exploited and how to update to close it.

On Fri, Dec 26, 2008 at 2:08 PM, Sheet Spotter <sheet.spotter at gmail.com>wrote:

>
> I see the disclosure of vulnerabilities as similar to the disclosure of
> your
> password. Publicly disclosing or sharing your password before you can
> change
> it is unwise.


I would list the numerous reasons how your entire post is just wrong but I
think Ordinal did a better job quickly summing it up than I could.

On Fri, Dec 26, 2008 at 2:19 PM, <ordinal.malaprop at fastmail.fm> wrote:

> Vulnerabilities are not like passwords. Passwords cannot be discovered by
> experimentation and analysis (well, not if they are good passwords).
> Passwords provide no risk unless actively disclosed.
>
> Vulnerabilities _do_ constitute an active risk regardless of whether they
> are disclosed or not, as people looking for them can (and will) find them
> eventually, and once they have, the details will spread explosively.
> Exposing them before they are fixed at least gives users the chance to
> defend themselves before this happens, even if that means closing down
> systems.
>
> If there is a vulnerability in SL which was not already widely known - and
> how can one tell? - and which LL knew that they could fix quite shortly,
> then it would be best to err towards keeping it quiet until it was fixed. If
> there is not progress on fixing a vulnerability then it needs to be
> publicised so that people can account for it.


I agree wholeheartedly.  If an issue can be fixed shortly then LL should put
the devs on it and get it fixed then (per what I said above) release a patch
and a full disclosure on the issue as well as patch/upgrade steps.  If it's
something without a quick fix that can be fixed or even just mitigated
client side I trust Nicholaz and the other 3rd party viewer makers more than
LL to get a good patch out to their users.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.secondlife.com/pipermail/sldev/attachments/20081226/cd986a26/attachment.htm