←back to thread

Libxml2's "no security embargoes" policy

(lwn.net)
279 points jwilk | 3 comments | 25 Jun 25 19:36 UTC | HN request time: 1.272s | source
1. kstrauser ◴[25 Jun 25 22:52 UTC] No.44382528[source]
> It includes a request for Wellnhofer to provide a CVE number for the vulnerability and provide information about an expected patch date.

“Three.”

“Like, the number 3? As in, 1, 2, …?”

“Yes. If you’re expecting me to pick, this will be CVE-3.”

replies(2): >>44386285 #>>44387688 #
2. mrweasel ◴[26 Jun 25 11:24 UTC] No.44386285[source]
I think he should just reject reports of vulnerabilities if they aren't accompanied by a patch.
3. viraptor ◴[26 Jun 25 14:19 UTC] No.44387688[source]
The project doesn't have to provide one though. The person reporting it can handle it if they care. It's ok to say "I'm not interested in those".