←back to thread

Libxml2's "no security embargoes" policy

(lwn.net)
279 points jwilk | 2 comments | 25 Jun 25 19:36 UTC | HN request time: 0.61s | source
1. SAI_Peregrinus ◴[26 Jun 25 00:24 UTC] No.44383085[source]
There are two types of responsible disclosure: coordinated disclosure where there's an embargo (ostensibly so that the maintainer can patch the software before the vulnerability is widely known) and full disclosure where there's no embargo (so that users can mitigate the vulnerability on their own, useful if it's already being exploited). There's no reason a maintainer shouldn't be allowed to default to full disclosure. In general, any involved party can disclose fully. Irresponsible disclosure is solely disclosing the vulnerability to groups that will exploit it, e.g. NSO.
replies(1): >>44383826 #
2. tptacek ◴[26 Jun 25 02:54 UTC] No.44383826[source]
Yeah, exactly. And the subtext of all of this is that big companies are going to get burnt by these kinds of decisions. But big companies work around this kind of thing all the time. OpenSSL is a good example.