Author: James Courtier-Dutton Date: To: lug, Hampshire LUG Discussion List Subject: Re: [Hampshire] How should the Open Source world handle new
vulnerabilities?
2009/9/26 Damian Brasher <lug@???>: >
> The Google security team announcement on the 13th September will have had a
> negative impact on Open Source communities, like any accident does, but it
> seems that lessons ought to be learnt.
>
> A simple model could be:
>
> 1) Security vulnerability found.
> 2) Developer(s) contacted privately before announcement is made public.
> 3) Developer fix privately forwarded to major vendors.
> 4) Major vendors generate patch and make it available.
> 5) Public announcement is made.
>
> This point will have been made time and again, could or should a protocol be
> made law? If a vulnerability has taken a team of top security experts to
> discover then the likelihood of an individual or organisation finding the
> same vulnerability in the same amount of time must be slight in general.
>
As a kernel developer I can assure you that a lot of discussion occurs
regarding security vulnerabilities, but most of it is never made
public.
Fixes go into the kernel without them being highlighted too obviously
in the changelog.
