| ▲ | semiquaver 7 hours ago | |||||||
In what sense do you believe that the reporter did not notify the security team of the relevant software? The vulnerability is in the kernel. Reporter responsibly disclosed using the kernel’s security report mechanism and waited until a patch was ready. Distros are downstream of kernel, that doesn’t entitle them to expect to be contacted directly by every security reporter. That’s not on them. Distros that are big enough should be plugged into the linux security team for notifications. Security researchers cannot be held responsible for broken lines of communication within the org charts of projects that they study. They’re providing a valuable public service already, how much more do you want? | ||||||||
| ▲ | ragall 6 hours ago | parent | next [-] | |||||||
> that doesn’t entitle them to expect to be contacted directly by the reporter Yes it does. That's how it's always been done and distros can ship a fix well before it ends up in a kernel release. | ||||||||
| ▲ | michaelmrose 6 hours ago | parent | prev [-] | |||||||
It is suggested that they out of an abundance of caution and 5 or 6 emails. If this is entirely to much to expect we can always help them by mandating that they spend 6 figures annually meeting a much more robust set of requirements that will include notifying all possible affected parties down to Hannah Montana Linux devs if any still exist. Any strategy that assumes that the rest of the world is functional or makes you personally responsible for fixing all of it is equally broken but there is a reasonable middle ground and sending a few more emails lies within it | ||||||||
| ||||||||