OpenBSD was notified of the vulnerability on 15 July 2017, before
CERT/CC was involved in the coordination. Quite quickly, Theo de Raadt
replied and critiqued the tentative disclosure deadline: In the open
source world, if a person writes a diff and has to sit on it for a
month, that is very discouraging. Note that I wrote and included a
suggested diff for OpenBSD already, and that at the time the tentative
disclosure deadline was around the end of August. As a compromise, I
allowed them to silently patch the vulnerability. In hindsight this was
a bad decision, since others might rediscover the vulnerability by
inspecting their silent patch. To avoid this problem in the future,
OpenBSD will now receive vulnerability notifications closer to the end
of an embargo.
REF: https://marc.info/?l=openbsd-misc&m=150815942414653&w=2
沒有留言:
張貼留言