[Hampshire] How should the Open Source world handle new vuln…

Top Page
This message is part of the following thread:
M--++\the complete thread tree sorted by date
M-\MMM 
M\MMJames Courtier-Dutton at ->

Reply to this message
Author: Damian Brasher
Date:  
To: Hants Lug
Subject: [Hampshire] How should the Open Source world handle new vulnerabilities?
When you first see this: "Linux Kernel 'sock_sendpage()' NULL Pointer
Dereference Vulnerability" in an email or twitter it does not mean much at
first glance.

When you realise this is a kernel issue if you are a Linux systems
administrator you will start scanning, thinking and then you read some more
and realise this is serious. Then after 10 minutes the ramifications hit home
depending on the systems you maintain and responsibility level on a scale
between 1 (a single NetBook running UNR) and 10, plus some off the scale,
some may know what I mean.

My sentiments towards the Google security team are ambivalent. They were
doing a job and did it well. I feel that the Open Source universe (and
propriety) does not have a satisfactory model for announcing and fixing
serious security vulnerabilities. The impact on users, business's, code
maintainers, managers all the way through the various components of the
producer to consumer can be heavy and I believe the process of announcement
to fix could be much much better.

The Google security team announcement on the 13th September will have had a
negative impact on Open Source communities, like any accident does, but it
seems that lessons ought to be learnt.

A simple model could be:

1) Security vulnerability found.
2) Developer(s) contacted privately before announcement is made public.
3) Developer fix privately forwarded to major vendors.
4) Major vendors generate patch and make it available.
5) Public announcement is made.

This point will have been made time and again, could or should a protocol be
made law? If a vulnerability has taken a team of top security experts to
discover then the likelihood of an individual or organisation finding the
same vulnerability in the same amount of time must be slight in general.

I find it difficult to see the benefits of making a vulnerability public
before contacting the developer at least. Should a large multi-national like
Google be allowed to uncover an error then tell the whole world when it feels
like it? Is that ethical? Could it be seen as an act of aggression?

>From now on I'm going to make a point of reading more about this process and
following moves to change the current vulnerability discovery announce
protocol.

Any thoughts or information?

Damian

--
WWW http://www.diaser.org.uk - Open Source Data Vault Application - beta-1

RSS http://sourceforge.net/export/rss2_projnews.php?group_id=258272


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



This message was posted to the following mailing lists:
Hampshire LUG
Mailing List Info | Nearby Messages		<-Re: [Hampshire] New Linux-based phoneRe: [Hampshire] How should the Open Source world handle new vulnerabilities?->
Hampshire LUG Mailing List Archive administrated by WebmasterLurker (version 2.3)