[sldev] Viewer security vulnerability disclosure group

[Meadhbh Hamrick (Infinity)]

hmm.. i think i see a disconnect here.

not all vulnerabilities are discovered by a community that exploits  
them. some are discovered internally, others are discovered by people  
"close" to the lab who's personal interests are not served by exploit.

and i think your comment encapsulates issues with fair and early  
disclosure:

"vulnerabilities should be fixed as soon as possible after discovery  
and the discoverer should limit disclosure to those parties who can  
effectively reduce the risk of exploit."

so, agreed: fixing a security bug includes sending it through the QA  
process.

and: if there is a large community of persons exploiting the bug, then  
the risk of disclosure to the group of 3rd party developers working on  
SL projects is reduced.

but: if the bug is not being exploited, then you increase the risk of  
exploit by disclosing the bug before a patch can be produced.

-cheers
-infinity

On Dec 26, 2008, at 10:31 PM, Tateru Nino wrote:

> Somewhere around the time this last QA phase begins, I'm guessing is
> when it is proposed that the third-parties on the disclosure list get
> notified, which would have their own viewers ready around the same  
> time
> that Linden Lab finishes its QA pass on the first-party viewer.
>
> During all this time, exploiters will presumably be sharing  
> information
> about the exploit with other exploiters and exploring variations of  
> the
> exploit to see if other flaws can be .. well, exploited by similar  
> means.