RFPolicy

RFPolicy

Posted Jan 8, 2005 19:27 UTC (Sat) by dmarti (subscriber, #11625)
Parent article: grsecurity 2.1.0 and kernel vulnerabilities

There's an industry-standard policy for advance notices of vulnerabilites before publication. ORIGINATOR is the person discovering the vulnerability.

It is important that the ORIGINATOR review any documentation included with the object of the ISSUE for indication of a proper method of contact. That failing, the ORIGINATOR should check the web site of the MAINTAINER for methods of contact. Should the ORIGINATOR not be able to locate a suitable email address for the MAINTAINER, the ORIGINATOR should address the ISSUE to:

security-alert@[MAINTAINER]
secure@[MAINTAINER]
security@[MAINTAINER]
support@[MAINTAINER]
info@[MAINTAINER]

regardless of their existence. Anyone who could be deemed as a 'MAINTAINER' is encouraged to populate at least some of the above email addresses.

---

to post comments

RFPolicy

Posted Jan 10, 2005 17:02 UTC (Mon) by pjs (guest, #10927) [Link]

Yes, but apparantly best (or even remotely good) practices don't apply here.

You see, they couldn't contact vendor-sec because they don't trust vendor-sec anymore due to the recent botched handling of the uselib bug.

So they contacted Linus and Adrew directly. When emails went unanswered for 3 weeks, Linus and Andrew couldn't be trusted anymore either.

So, you can clearly see it follows from the above that the only practice left, having exhausted all the "best" ones, is to release details and exploit code for new and previously discovered bugs, with an angry rant. With such a zero-tolerance policy for mis-handling of bug reports, it's easy to quickly run out of options.