←back to thread

Libxml2's "no security embargoes" policy

(lwn.net)
277 points jwilk | 1 comments | 25 Jun 25 19:36 UTC | HN request time: 0.209s | source
Show context
throwaway2037 ◴[26 Jun 25 05:38 UTC] No.44384478[source]

    > ...there are currently four bugs marked with the security label in the libxml2 issue tracker. Three of those were opened on May 7 by Nikita Sveshnikov, a security researcher who works for a company called Positive Technologies.
I'm confused. Why doesn't Positive Technologies submit a patch or offer to pay the lead maintainer to implement a fix?

FYI, Wiki tells me:

    > Positive Technologies is a Russian information security research company and a global leader in cybersecurity.
replies(5): >>44384500 #>>44384649 #>>44384997 #>>44385563 #>>44389020 #
1. brazzy ◴[26 Jun 25 06:16 UTC] No.44384649[source]
Because they don't use libxml2 and don't actually have any need for a fix. They only want to build a reputation as pentrsters by finding vulnerabilities in high profile projects