www/info

Luke Chatburn lchatburn at isset.org
Wed Oct 9 08:16:21 BST 2002 

Hi all...

The rules usually accepted in the industry are as follows:

- Security vulnerabilities get reported directly to vendor or coders.

- There is a *30* day grace period before making the vulnerability public.
This allows time for problem analysis, production of patches and for the
vendor to announce the vuln. as part of the patch announcement. That way,
everything is covered and the user is at no point exposed to a situation
where the vendor is giving out details of the flaw without a patch.

- People finding flaws and just releasing them publicly are idiots. Like the
folks who found that Apache vuln. and told the Apache Foundation at the same
time they told the world and created a broken fix for it. It was a few days
until the Apache folks were able to get a proper patch sorted and users were
put at risk because details of the vulnerability were wandering around, all
because of that security company's ego trip.

- With Linux, frequently, if a vulnerability is found, patching is a very
fast process <1 day; however, this also need to be fed out to the major
distros, so that they can get working binary patches for their users before
they are ready to announce.

- Distros tend to hang back with announcements even after they have a patch
in hand, to make sure the other major distros do to, so that other people's
customers are not exposed through a announcement for one distro.

Normally, though, this is done easily within the 30 day period. Usually a
day or two.

Certain other companies, which shall remain nameless tend to leave things
for a lot longer than 30 days, so people release the vuln. to the public
after that, to make them aware and let them try and protect themselves and
also to put some public pressure on that company to issue a patch.

The key is minimising risk to users and premature announcements will put
them at risk, by giving details out that might be used to form an exploit.
Open Source is strong, in that it has a large number of talented coders who
can fix issues quickly, and code in such a way that these things don't crop
up very often. Still, the 30 day rule still stands and is a good one. Let's
tell the bad people about a flaw at the same time we hand over the patch to
the good people.

-Luke

----- Original Message -----
From: "Holger Freyther" <freyther at gmx.net>
To: <kde-core-devel at mail.kde.org>
Sent: Wednesday, October 09, 2002 12:21 AM
Subject: Re: www/info


> On Wednesday 09 October 2002 00:14, Neil Stevens wrote:
> > On Tuesday October 08, 2002 03:12, Martijn Klingens wrote:
> > > On Tuesday 08 October 2002 23:44, Neil Stevens wrote:
> > > > So is it KDE's policy not to warn users when the problem is found,
but
> > > > only to let people know that their systems are vulnerable when the
fix
> > > > is released?
> > >
> > > I was already warned about the kghostview problem by a SuSE security
> > > announcement as 'pending vulnerability'. The KPF one is new for me
too.
> > >
> > > Either way I think it's better not to mention the bug to the general
> > > public before the fix is there. This is common practice for _ANY_
> > > software package, regardless of vendor. Apache does this, PHP does
this,
> > > Microsoft does this. I can't think of a common package that does not,
> > > actually, unless there's a pressing reason to do so (e.g. an exploit
is
> > > already out in the wild).
> >
> > Then users should be warned that some KDE developers will knowingly and
> > willfully withhold information.
> >
> > > As soon as the bug is known exploits will appear. Better have the
patch
> > > ready too at the same time if there's no known exploit yet.
> > >
> > > Did you notice that most security mailing lists don't publicly
announce
> > > problems before a patch is available either to give vendors the time
to
> > > fix the bug first? Only if it takes too long or if the problem is
urgent
> > > they tend not to adhere to this rule of thumb.
> >
> > I don't care what everyone else does.  In this context, I only care what
> > KDE does.
> nice......... I'm lacking words... (i18n_rev("Mir fehlen echt die
Worte") )
>
> --
> _____________________________________________
> Holger 'zecke' Freyther
> developer
> Project OPIE- the Open Palmtop Integrated Environment
> http://opie.handhelds.org | http://www.opie.info (german)
> IRC: irc.freenode.net #opie #opie.de

More information about the kde-core-devel mailing list