| ▲ | throw0101a 3 hours ago | |
> The problem is that vendors and developers have repeatedly shown that if you give them an inch, they take a mile. [citation needed] Is there any evidence that Linux distros (specifically) act in this way? Or a particular distro? | ||
| ▲ | john_strinlai 3 hours ago | parent | next [-] | |
>[citation needed] there is ~3 decades of citations you can look at, spread out over every security mailing list, security conference, etc. that you can think of. one decent start is https://projectzero.google/vulnerability-disclosure-faq.html... "Prior to Project Zero our researchers had tried a number of different disclosure policies, such as coordinated vulnerability disclosure. [...] "We used this model of disclosure for over a decade, and the results weren’t particularly compelling. Many fixes took over six months to be released, while some of our vulnerability reports went unfixed entirely! We were optimistic that vendors could do better, but we weren’t seeing the improvements to internal triage, patch development, testing, and release processes that we knew would provide the most benefit to users. [...] While every vulnerability disclosure policy has certain pros and cons, Project Zero has concluded that a 90-day disclosure deadline policy is currently the best option available for user security. Based on our experiences with using this policy for multiple years across thousands of vulnerability reports, we can say that we’re very satisfied with the results. [...] For example, we observed a 40% faster response time from one software vendor when comparing bugs reported against the same target over a 7-year period, while another software vendor doubled the regularity of their security updates in response to our policy." >Linux distros (specifically) act in this way carving out special exceptions based on nebulous criteria is a bad idea. 90+30 is what has been settled on, and mostly works. | ||
| ▲ | da_chicken 3 hours ago | parent | prev [-] | |
Really? Because I would call a situation where the development team fails to appreciate the severity of a security vulnerability and has an established procedure that requires the researcher and not the kernel team to communicate with downstream users is already a major failure of process. Security is not just patching the vulnerability, and it seems that the Linux kernel developers or the Linux kernel security team does not understand that. This is the result of that failure. If this were any other software, we'd be here with pitchforks and torches. The researcher gave the developers timed disclosure, and even waited until after the developers had patched the issue. And... it's still a problem. | ||