[sldev] Viewer security vulnerability disclosure group

[Celierra Darling]

On Fri, Dec 26, 2008 at 2:19 PM,  <ordinal.malaprop at fastmail.fm> wrote:
> Vulnerabilities _do_ constitute an active risk regardless of whether they
> are disclosed or not, as people looking for them can (and will) find them
> eventually, and once they have, the details will spread explosively.
> Exposing them before they are fixed at least gives users the chance to
> defend themselves before this happens, even if that means closing down
> systems.

I'm not sure this follows.  There's a difference between exposing
enough details to exploit, reproduce, and fix a vulnerability, and
providing a way to prevent or mitigate possible exploits.  I think
we're just talking about the former, i.e. to whom LL can give details
like "there exists a buffer overflow near llhippos.cpp:123, triggered
by sending a malformed LLSomeMessage".  Disclosing the vulnerability
to everyone like that will not necessarily help with defense, and may
likely hinder it by decreasing the time one has to implement
workarounds.

On Fri, Dec 26, 2008 at 2:40 PM, Gordon Wendt <GordonWendt at gmail.com> wrote:
> If it's
> something without a quick fix that can be fixed or even just mitigated
> client side I trust Nicholaz and the other 3rd party viewer makers more than
> LL to get a good patch out to their users.

I'm confused at the distinction here.  If I take "without a quick fix"
to mean something like "LL thinks the ETA for the fix is far enough in
the future that sending separate disclosure to third-party viewer
maintainers makes sense", this sounds a lot like an early disclosure
group to me.  What's the difference?

Celierra