Security researchers rarely fix bugs. They don't see it as their job, and it requires a very different skill set than finding or exploiting them anyway.

▲

TheDong 6 days ago | parent | next [-]

This is misplaced in this case.

The author mentioned CVE-2021-26708, which is very similar to this bug, and in fact the author both exploited it and authored the upstream fix in the kernel.

> and it requires a very different skill set than finding or exploiting them anyway

I disagree with that. Exploiting bugs is really hard, and if you can exploit them, you absolutely know enough about the kernel in order to patch it.

Sure, architecting a kernel, making code maintainable, that's a software engineering skill. But fixing a use-after-free? That's easier than exploiting it, of course they can fix it.

▲

Den_VR 6 days ago | parent [-]

There’s the technical challenge, and then there’s the process challenge.

▲

account42 6 days ago | parent [-]

Sending an email with a simple patch is not a challenge.

▲

brookst 6 days ago | parent [-]

Thanks for submitting the fix here!

	▲	account42 6 days ago \| parent [-]
		You might want to read the thread you are responding to instead of posting knee-jerk reactions.

▲

blueflow 6 days ago | parent | prev [-]

"fixing bugs" gets lets street creds than "hacking into things"