←back to thread

Libxml2's "no security embargoes" policy

(lwn.net)
279 points jwilk | 6 comments | 25 Jun 25 19:36 UTC | HN request time: 0.625s | source | bottom
1. throwaway2037 ◴[26 Jun 25 05:38 UTC] No.44384478[source]

    > ...there are currently four bugs marked with the security label in the libxml2 issue tracker. Three of those were opened on May 7 by Nikita Sveshnikov, a security researcher who works for a company called Positive Technologies.
I'm confused. Why doesn't Positive Technologies submit a patch or offer to pay the lead maintainer to implement a fix?

FYI, Wiki tells me:

    > Positive Technologies is a Russian information security research company and a global leader in cybersecurity.
replies(5): >>44384500 #>>44384649 #>>44384997 #>>44385563 #>>44389020 #
2. codedokode ◴[26 Jun 25 05:43 UTC] No.44384500[source]
Because they have other things to do? Nobody pays them for fixing it too.
3. brazzy ◴[26 Jun 25 06:16 UTC] No.44384649[source]
Because they don't use libxml2 and don't actually have any need for a fix. They only want to build a reputation as pentrsters by finding vulnerabilities in high profile projects
4. flomo ◴[26 Jun 25 07:17 UTC] No.44384997[source]
Perhaps you are imagining some free software bong(o drum) circle?

The big point is this is a critical component for Apple and Google (and maybe Microsoft), and nobody is paying any attention to it.

5. jeroenhd ◴[26 Jun 25 09:08 UTC] No.44385563[source]
The security researcher is paid to find vulnerabilities, not to fix them. These companies are selling code analysis to their customers and the more issues they find, the more they'll be worth.

When it comes to fixing the issues, their customers will have to beg/spam/threaten the maintainers until the problem is solved. They probably won't write a patch; after all, Apple, Google, and Microsoft are only small companies with limited funds.

6. throwaway2037 ◴[26 Jun 25 16:41 UTC] No.44389020[source]
I am replying to my own post instead of replying to all of the child posts:

The point of my original post... that I hoped someone would see/interpret: Reporting "security bugs" without a patch or an offer to pay the lead maintainer to implement a fix feels like blackmail in 2025. Yes, I know this will be a hugely controversial opinion amoungst HN crowd. Personally: I don't see a huge amount of commercial value in pure infosec research that does not include funds to develop or fund a patch. The primary purpose of these "pure" infosec research firms is to generate FOMO for enterprise clients who pay them for private patches or "support".