[sldev] Viewer security vulnerability disclosure group

ordinal.malaprop at fastmail.fm ordinal.malaprop at fastmail.fm
Fri Dec 26 12:27:24 PST 2008


On 26 Dec 2008, at 20:18, Celierra Darling wrote:

> On Fri, Dec 26, 2008 at 2:19 PM,  <ordinal.malaprop at fastmail.fm>  
> wrote:
>> Vulnerabilities _do_ constitute an active risk regardless of  
>> whether they
>> are disclosed or not, as people looking for them can (and will)  
>> find them
>> eventually, and once they have, the details will spread explosively.
>> Exposing them before they are fixed at least gives users the chance  
>> to
>> defend themselves before this happens, even if that means closing  
>> down
>> systems.
>
> I'm not sure this follows.  There's a difference between exposing
> enough details to exploit, reproduce, and fix a vulnerability, and
> providing a way to prevent or mitigate possible exploits.  I think
> we're just talking about the former, i.e. to whom LL can give details
> like "there exists a buffer overflow near llhippos.cpp:123, triggered
> by sending a malformed LLSomeMessage".  Disclosing the vulnerability
> to everyone like that will not necessarily help with defense, and may
> likely hinder it by decreasing the time one has to implement
> workarounds.

I don't see how it would decrease the time one has to implement  
workarounds, I'm afraid - could you elaborate? One can't implement a  
workaround without actually knowing about an exploit, so the time will  
always be less (than infinite) when one does know about it.

The question is whether exposing an exploit will mean somebody who  
otherwise wouldn't now manages to exploit the exploit before the  
victim can fix things. In practice I think history indicates that  
discovered exploits tend to propagate through media quite apart from  
security lists.


More information about the SLDev mailing list