Libxml2's "no security embargoes" policy

(lwn.net)

277 points jwilk | 1 comments | 25 Jun 25 19:36 UTC | HN request time: 0.2s | source

Show context

arp242 ◴[25 Jun 25 22:06 UTC] No.44382233[source]▶

A lot of these "security bugs" are not really "security bugs" in the first place. Denial of service is not resulting in people's bank accounts being emptied or nude selfies being spread all over the internet.

Things like "panics on certain content" like [1] or [2] are "security bugs" now. By that standard anything that fixes a potential panic is a "security bug". I've probably fixed hundreds if not thousands of "security bugs" in my career by that standard.

Barely qualifies as a "security bug" yet it's rated as "6.2 Moderate" and "7.5 HIGH". To say nothing of gazillion "high severity" "regular expression DoS" nonsense and whatnot.

And the worst part is all of this makes it so much harder to find actual high-severity issues. It's not harmless spam.

[1]: https://github.com/gomarkdown/markdown/security/advisories/G...

[2]: https://rustsec.org/advisories/RUSTSEC-2024-0373.html

replies(13): >>44382268 #>>44382299 #>>44382855 #>>44384066 #>>44384368 #>>44384421 #>>44384513 #>>44384791 #>>44385347 #>>44385556 #>>44389612 #>>44390124 #>>44390292 #

yeyeyeyeyeyeyee ◴[26 Jun 25 06:43 UTC] No.44384791[source]▶

>>44382233 #

A basic definition of a security bug is something that violates confidentiality, integrity or availability.

A DoS affects the availability of an application, and as such is a real security bug. While the severity of it might be lower than a bug that allows to "empty bank accounts", and fixing it might get a lower priority, it doesn't make it any less real.

replies(2): >>44384859 #>>44386086 #

1. thinkharderdev ◴[26 Jun 25 10:48 UTC] No.44386086[source]▶

>>44384791 #

The CIA triad is a framework for threat modeling, not a threat model in and of itself. And what those specific terms mean will also be very system-specific.

↑