No, it's incompetence from everyone involved except the company making the disclosure, which, despite the fact that the existing norms are not in fact binding (like people downthread seem to believe), they followed.

> Gentoo has to take some blame too for not keeping all the kernels they maintain patched in a timely way.

How do you figure that? From what I could tell from the earlier post, the fix has only been backported to 6.18 and later, and as TFA indicates the distro's were not informed of the security implications of this fix. All distro's shipping a major kernel version from more than a year ago -- and that includes all LTS kernels -- are vulnerable, regardless of how "timely" their patch schedules follow upstream.

you minimize this with the curated contact list.

the baddies are looking at every patch anyways.

"Didn't go anywhere"? The kernel devs patched it! They patched it weeks ago! The kernel security team needs to communicate security problems in their own releases, because that is where the distros are already looking.

Requiring the security researcher to do it is insane. Should a security researcher that identifies a vulnerability in electron.js need to identify every possible project using electron.js to communicate with them the vulnerability exists? No. That's absurd.

No.

The problem is that vendors and developers have repeatedly shown that if you give them an inch, they take a mile. Look at exactly what happened with BlueHammer this month. The security researcher went full disclosure because Microsoft didn't listen to their reports.

Disclosure is vital. It's essential. Because the truth is, if a security researcher has found it, it's extremely likely that it's already been found by either black hats or by state actors. Ignorance is not actually protection from exploitation.

The security researcher also has a responsibility to the general public that is still actively using vulnerable software in ignorance. They need to be protected from vendor and developer negligence as well as from exploits. And the only way to protect yourself from an exploit that hasn't yet been patched is to know that it is there.

I used to think the context of the fame mattered. At least in the US, it does not.

Hell, Crowdstrike is still purchased.

If they want to be seen as responsible rather than opportunistic, then yeah, they should do a proper coordinated disclosure.

Sure, they have no legal obligation to disclose, but we all also have no legal obligation to buy their services. Blacklisting bad actors like this is the right move to discourage this kind of behavior.

Unfortunately this is correct. As a security researcher I set millions in profit on fire for reporting vulns to projects that offer no bounties vs selling to highest bidder. I keep doing it because it is the right thing to do, but I would not blame someone that needs to feed their family making a different choice.

We must get public funds to reward ethical disclosure of big impact vulns like this.

> Researchers are under no obligation to engage in coordinated disclosure and are free to sell 0day for profit. Just fyi. Be glad it was disclosed at all.

I'm so glad these so called "researchers" aren't totally evil, I'm so grateful they're only half evil, give them a lollipop.

Whatever, the way they disclosed it isn't much different from no disclosure at all - the exploit would have been identified in the wild and fixed soon thereafter.

"Researchers"...

> are free to sell 0day for profit.

This is not true in many jurisdictions.

I'm pretty sure they have a legal obligation in most jurisdictions not to sell 0days for profit.

And they absolutely have a moral obligation to do things in a way to minimize damage and impact to other people's systems. (I'm not saying "responsible disclosure" is the correct way to do that, but hoarding vulnerabilities and exploits and selling them to the highest bidder certainly isn't.)

This is how society needs to work.

mmmmmm, no it would seem like they are absolutely under a social obligation to not do that.

[flagged]

> Researchers are under no obligation to engage in coordinated disclosure and are free to sell 0day for profit.

Uh... no? If you mean legally, some people might, depending on jurisdiction. But also, ethically? yes, researchers are ethically obligated to disclose responsibly.

> Just fyi.

...

> Be glad it was disclosed at all. Be glad a patch was available prior to release.

I am glad that a patch was available. Equally I can be glad that the linux community is strong enough to respond quickly, while also being angry that this person behaves unethically.

Likewise, when people in my industry behave poorly, or unethically; I'm now the person ethically obligated to both point it out, and condemn it. Not to become an apologist demanding I should be happy watching bad things happen, when much of the fallout could have been prevented with a bit less incompetence and ignorance.

They should have a legal obligation to engage in coordinated/responsible disclosure, and it should be a crime to sell or disclose a 0day to anyone other than a state-designated security organization or the vendor/provider.

If it won’t be handled through criminal law then it’ll be handled through civil litigation: Anyone who was exploited as a result of this disclosure should sue the discloser for contributing to the damage they’ve suffered.

that is basically how all large companies behave anyway. socialize the losses (bailouts, layoffs, negative economic impacts in the communities they reside, etc.) and privatize the gains.

Why do you assume banks would keep on doing the same old thing but paying more because of it? The cost would make them learn not to design systems where something like this hypothetical scenario was possible.

[flagged]

Respectfully, I don't think they're missing the point. Banking, as an institution, has its flaws, but deposit insurance isn't one of them. These vulnerabilities exist whether or not they follow specific disclosure rituals, and systems should be deployed with defense-in-depth so that one privilege-escalation flaw is a recoverable event. Inventing tortured counterfactual analogies doesn't change the basic thrust of the poster's point: the account is insured, so getting drained by an attacker is not a fatal problem. Of course people should still take steps to prevent that from happening, but that doesn't mean prevention is (or should be) the only cure.

Um, yes, everyone is expected to upgrade and reboot on a moment's notice. No policy or norm you come up with will change that.

(This bug does not technically require a reboot to mitigate).

to which distros? how do you ensure fairness? Do you report this to the maintainer of Red Star OS (north korea)?

The kernel security team was given the heads up a month ago. At that point it is their decision.

What does that have to do with this comment thread?

Copying from the comment I was replying to:

> But publishing a working exploit together with the disclosure before patches are available is really really irresponsible, maybe even criminal

If you wanted to somehow make coordinated disclosure into a legal framework, that would be an interesting and complex project.

But it’s not the law anywhere I’m aware of today, and I’d not support it becoming a law.

You know companies are allowed to pay people to find vulns, and pay people bug bounties?

Instead of that, you’d rather make the law compel free individuals to limit their speech, or to hand over their work to big companies privately, so big companies can save money?

That doesn’t sound like a nice future, if it’s even enforceable at all.

Not true, if there’s any evidence of the exploit being used in the wild, it’s much more responsible to release immediately.

Considering that the patches have been available for a while, someone surely reversed what they were for and was actually exploiting this in the wild.

In the age of AI, I’d argue that “responsible disclosure” is dead. Arguably even in closed source projects. Just ask Claude to do a diff between the previous version and to see whether anything fixed in there could have had security implications.

We’re not there yet, but very soon the only way to responsibly disclose a vulnerability will be immediately.

“Made it into the wild?” Patches landed a month ago. Should they also wait until my linksys router from 2018 has a patch ready?

That's mostly on Greg, a bit on the author.

Fedora is patched.

I don't know what you mean at all. I'm just repeating known kernel policy here. What does 6.12 have to do with anything?

Yes.

You know the linux kernel is a free software project right? If you think “somebody should” do a thing but you aren’t prepared to do it yourself then you should maybe ask for a full refund.

  > we can always help them by mandating that they spend 6 figures

AWS and GCP are downstream another level. Should the reporter also have worked with them? And their customers? And the customers of their customers?

IMO this whole discussion seems like people are annoyed by the security researchers doing god’s work and wish they didn’t exist or think that they should be fully subservient to the projects and companies they are helping for free. The bugs were there before the researchers revealed them!!

I asked a question and you replied with a statement. Your statement didn’t frame itself as an opinion but as fact.

The hilarious bit is that the idea that they needed to coordinate is clearly broken even in just this example. They did give prior notice to the Linux developers, who issued a patch. And they’re still getting raked over the coals in this comment page by armchair quarterbacks who have decided they needed to coordinate with specific distros. If they’d coordinated with those distros, somebody would have a pet distro that didn’t make the cut and they’d be pissed about that.

There are risks no matter how they do it, and there will be people who are pissed no matter how they do it. Security researchers don’t owe anybody a specific methodology.