Re: full disclosure, or not?
On Sat, Jun 26, 2004 at 02:39:02PM +0200, martin f krafft wrote:
> anything from its users. If a root exploit is out there, users want
> to know about it. Keeping it a secret is childish.
what would be the alternative?
The security team would have to annonce "there's a possible security
flaw in package XY, we're on it, but it may take some more days to fix
What's the worth of such announcements? Users (You'd) know about a bug, but
still could not do anything about it. After all, I'd strongly object
to my web-host/ISP/Sys-Admin/... switching off
apache/php/ssh/name-whatever-tool-you-really-need because they have heard of
an yet unfixed security-problem.
> So what is the official procedure of the security team?
I guess it's "work as hard ass posible to fix it as soon as possible
and then release a fix on d.s.o".