Hacker News new | ask | show | jobs
by bathtub365 50 days ago
To be clear, the vulnerability existed in Linux, not in Xint Code. It existed whether this group disclosed it or not. Knowledge of it and exploits may have already been bought and sold among various groups with various motives including crime, terrorism, or cyberwarfare who likely made good money off it if this happened.

In that world, the vulnerability has more value to those who seek to exploit it for their own motives, regardless of the consequences. They hope that no one else stumbles on it and fixes it, preventing them from continuing to use it to do bad things.

In the world where it is disclosed, there is more value in fixing the vulnerability as the maintainer’s reputation is at risk (and potentially monetary loss or legal liability if they are shown to be negligent).
1 comments
zamalek 50 days ago
Yes, and that's why we have the responsible disclosure protocol. It wasn't correctly followed here.
link
tptacek 50 days ago
There is no such thing as "the responsible disclosure protocol". There's really no such thing as "responsible disclosure" at all, but "the responsible disclosure protocol" is a term I have literally never heard before. (I've been a vulnerability researcher since the mid-1990s, for what it's worth.)
link
zamalek 49 days ago
https://en.wikipedia.org/wiki/Coordinated_vulnerability_disc...

> In computer security, coordinated vulnerability disclosure (CVD, sometimes known as responsible disclosure)

I guess you can learn something new after 36 years.

If you are referring to what you quoted, your pedantry and sharpshooting would result in an incomplete English sentence: "that's why we have the responsible disclosure" is missing a noun. Now that we are firmly in worthless pedantry:

Protocol (n):

1.a. a system of rules that explain the correct conduct and procedures to be followed in formal situations

1.b. a set of conventions governing the treatment and especially the formatting of data in an electronic communications system

If you don't like what I said or disagree, poke holes in factual inaccuracies. However, in the reality that I am pretty sure we all share, responsible disclosure is a well established protocol that is followed by many security researchers, and was imperfectly followed here.

link
tptacek 49 days ago
I don't think you're going to bluff your way through this.
link
zamalek 49 days ago
From elsewhere.[1]

> You: No, I wouldn't, because my own preferences are towards immediate disclosure.

And there it is. You could have said "I don't think responsible disclosure is a good idea" and moved on, but now we have whatever the fuck this is.

Bluffing sure as hell beats incapable of being wrong. I'll take it.

[1]: https://news.ycombinator.com/item?id=47969417

link
voxic11 49 days ago
What rules were not followed here?
link
zamalek 49 days ago
Tons of distros were not informed.
link
marshray 49 days ago
If you discover a vulnerability in OpenSSL, are you required to track down and separately notify every downstream packager of OpenSSL?

Or do you rely on the OpenSSL project to work their established process?

link
akerl_ 49 days ago
Is that a rule? Are there rules?

These researchers found a vulnerability in the Linux kernel. They could have just written a blog post and put it online, or not told anybody, or sold it. But instead they decided to tell the Linux kernel devs, and give them time to act before publishing.

And your beef is that you’ve decided they needed to also inform individual downstream projects that use the Linux kernel? Why? Which ones?

link
Scharkenberg 49 days ago
Which part was not correctly followed?
link