undefined | Better HN

0 pointsdrb917y ago0 comments

> So... my best guess is that Theo's response to your proposed email would be "hey everyone, eridius is going to be announcing a vulnerability at <deadline> and he's refusing to tell me what it is".

This actually sound quite reasonable to me.

0 comments

3 comments · 1 top-level

AdamJacobMuller7y ago· 2 in thread

The problem comes if someone is specifically involved with a specific project. You've just seriously narrowed the search space for new vulnerabilities for someone by several orders of magnitude. The specific person who is named, or the organization who is releasing the information, may narrow the search space even further.

HelloNurse7y ago

What about caring for users? If I know X is vulnerable I can decide to disable X by default for all OpenBSD users without needing to know the details.

Knowing the details would make the difference between drastic and inconvenient mitigations (maybe no graphics at all) and just "disabling legacy drivers and lose the setuid bit".

If after my warning hackers start focusing on X, my users are already on the run: it isn't a problem for them.

drb91OP7y ago

Sooner or later one of these vendors will start leaking without Theo’s grace and the embargo will protect the exploiters. I say axe the embargo and get into a habit of real time incident management.

j / k navigate · click thread line to collapse