←back to thread

Libxml2's "no security embargoes" policy

(lwn.net)
278 points jwilk | 1 comments | 25 Jun 25 19:36 UTC | HN request time: 0.217s | source
Show context
DeepYogurt ◴[25 Jun 25 21:52 UTC] No.44382139[source]
It'd be great if some of these open source security initiatives could dial up the quality of reports. I've seen so so many reports for some totally unreachable code and get a cve for causing a crash. Maintainers will argue that user input is filtered elsewhere and the "vuln" isn't real, but mitre don't care.
replies(3): >>44382170 #>>44382407 #>>44382413 #
mschuster91 ◴[25 Jun 25 21:57 UTC] No.44382170[source]
> I've seen so so many reports for some totally unreachable code and get a cve for causing a crash.

There have been a lot of cases where something once deemed "unreachable" eventually was reachable, sometimes years later, after a refactoring and now there was an issue.

replies(2): >>44382232 #>>44383832 #
DeepYogurt ◴[25 Jun 25 22:06 UTC] No.44382232[source]
At what rate though? Is it worth burning out devs we as a community rely upon because maybe someday 0.000001% of these bugs might have real impact? I think we need to ask more of these "security researchers". Either provide a real world attack vector or start patching these bugs along with the reports.
replies(2): >>44382273 #>>44382336 #
bigfatkitten ◴[25 Jun 25 22:12 UTC] No.44382273[source]
“PoC or GTFO” is an entirely reasonable response.
replies(3): >>44382466 #>>44382698 #>>44384612 #
1. marcusb ◴[25 Jun 25 22:45 UTC] No.44382466[source]
Also a wonderful zine!