(lwn.net)

286 points jwilk | 1 comments | 25 Jun 25 19:36 UTC | HN request time: 0.208s | source

Show context

throwaway2037 ◴[26 Jun 25 05:38 UTC] No.44384478[source]▶

    > ...there are currently four bugs marked with the security label in the libxml2 issue tracker. Three of those were opened on May 7 by Nikita Sveshnikov, a security researcher who works for a company called Positive Technologies.

I'm confused. Why doesn't Positive Technologies submit a patch or offer to pay the lead maintainer to implement a fix?

FYI, Wiki tells me:

    > Positive Technologies is a Russian information security research company and a global leader in cybersecurity.

replies(5): >>44384500 #>>44384649 #>>44384997 #>>44385563 #>>44389020 #

1. throwaway2037 ◴[26 Jun 25 16:41 UTC] No.44389020[source]▶

>>44384478 #

I am replying to my own post instead of replying to all of the child posts:

The point of my original post... that I hoped someone would see/interpret: Reporting "security bugs" without a patch or an offer to pay the lead maintainer to implement a fix feels like blackmail in 2025. Yes, I know this will be a hugely controversial opinion amoungst HN crowd. Personally: I don't see a huge amount of commercial value in pure infosec research that does not include funds to develop or fund a patch. The primary purpose of these "pure" infosec research firms is to generate FOMO for enterprise clients who pay them for private patches or "support".

↑

Libxml2's "no security embargoes" policy