[sldev] Viewer security vulnerability disclosure group

ordinal.malaprop at fastmail.fm ordinal.malaprop at fastmail.fm
Fri Dec 26 15:44:26 PST 2008


On 26 Dec 2008, at 17:01, infinity at lindenlab.com wrote:

> so.. for the sake of discussion.. let's assume the following  
> discussion is
> true "there is a serious exploit in the current LL viewer code which  
> will
> lead to disclosure of sensitive user information, compromise of  
> systems
> running the client, illegal asset or funds transfer and global
> thermonuclear war."
>
> if a security researcher out in the trenches discovers a  
> vulnerability,
> disclosing it widely before a fix is available is clearly bad for  
> not only
> Linden, but for the user community. nuclear war is generally bad for
> everybody...
>
> ..."telling everybody about a security vulnerability before  
> remediation is
> available is bad."

I am sorry but I'm afraid that that really doesn't make the case at  
all. Your post ignores any potential benefit granted to users by  
knowing what an exploit is and how to counteract it before it is once- 
and-for-all fixed on the server side by LL. The overall impact is  
still better if users have the chance to patch and adapt before fixes  
are available if fixes don't arrive almost immediately. Which they may  
well not do.


More information about the SLDev mailing list