

























I completely agree. It's just a dream to imagine that by asking not to disclose, issues won't be found in parallel. On the kernel I think that we've seen up to 8 independent reports for the same unfixed issue within a few days. Coordinating disclosure will just keep victims exposed longer to bugs, it's always the same story, there is bureaucracy on one side where it's impossible to push a fix quickly, and there are attackers exploiting vulnerabilities on the other side, and whose business is to play with unfixed issues. The longer the delay between the discovery by the *attacker* and the fix being deployed, the higher the exposure. Anything that contributes to delaying deployment (which CRD is) is just extending exposure and making more users vulnerable.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。