←back to thread

Libxml2's "no security embargoes" policy

(lwn.net)
278 points jwilk | 1 comments | 25 Jun 25 19:36 UTC | HN request time: 0.428s | source
Show context
throwaway2037 ◴[26 Jun 25 05:38 UTC] No.44384478[source]

    > ...there are currently four bugs marked with the security label in the libxml2 issue tracker. Three of those were opened on May 7 by Nikita Sveshnikov, a security researcher who works for a company called Positive Technologies.
I'm confused. Why doesn't Positive Technologies submit a patch or offer to pay the lead maintainer to implement a fix?

FYI, Wiki tells me:

    > Positive Technologies is a Russian information security research company and a global leader in cybersecurity.
replies(5): >>44384500 #>>44384649 #>>44384997 #>>44385563 #>>44389020 #
1. jeroenhd ◴[26 Jun 25 09:08 UTC] No.44385563[source]
The security researcher is paid to find vulnerabilities, not to fix them. These companies are selling code analysis to their customers and the more issues they find, the more they'll be worth.

When it comes to fixing the issues, their customers will have to beg/spam/threaten the maintainers until the problem is solved. They probably won't write a patch; after all, Apple, Google, and Microsoft are only small companies with limited funds.