[sldev] Viewer security vulnerability disclosure group

Meadhbh Hamrick (Infinity) infinity at lindenlab.com
Sun Dec 28 07:10:56 PST 2008


what are users going to use to patch their viewers?

remember. the vast majority of SL users do not compile the viewer from  
source, they download it from the SL website.

On Dec 26, 2008, at 3:44 PM, ordinal.malaprop at fastmail.fm wrote:

>
> On 26 Dec 2008, at 17:01, infinity at lindenlab.com wrote:
>
>> so.. for the sake of discussion.. let's assume the following  
>> discussion is
>> true "there is a serious exploit in the current LL viewer code  
>> which will
>> lead to disclosure of sensitive user information, compromise of  
>> systems
>> running the client, illegal asset or funds transfer and global
>> thermonuclear war."
>>
>> if a security researcher out in the trenches discovers a  
>> vulnerability,
>> disclosing it widely before a fix is available is clearly bad for  
>> not only
>> Linden, but for the user community. nuclear war is generally bad for
>> everybody...
>>
>> ..."telling everybody about a security vulnerability before  
>> remediation is
>> available is bad."
>
> I am sorry but I'm afraid that that really doesn't make the case at  
> all. Your post ignores any potential benefit granted to users by  
> knowing what an exploit is and how to counteract it before it is  
> once-and-for-all fixed on the server side by LL. The overall impact  
> is still better if users have the chance to patch and adapt before  
> fixes are available if fixes don't arrive almost immediately. Which  
> they may well not do.



More information about the SLDev mailing list