Daniel Stenberg wrote:
I wrote a blog post on exactly what we do when we receive and deal with a
security problem in curl. From report to release.
https://daniel.haxx.se/blog/2017/10/05/the-life-of-a-curl-security-bug/
[I tried to post this as a comment to your article, but it failed with:
"Replace this text with the error page you would like to serve to clients if
your origin is offline."]
Nice. I do wonder if you should spell out what a CVE is. Sometimes you
seem to use CVE as shorthand for CVE id, at other times for the CVE report
itself.
The CVE
Once we have an advisory and a patch, none of which needs to be
their final versions, we can proceed and ask for a CVE ID. The
Common Vulnerabilities and Exposures[1] (CVE) system provides a
reference-method for publicly known cyber-security issues.
What sort of embargo does Mitre allow? (Every time I hear that name, I'm
reminded of Clifford Stoll's delightful 1989 book, The Cuckoo's Egg[2], in
which a hippie astrophysicist at Laurence Berkley National Laboratory in
California is thrust into the world of cyber spies and national security
agencies as he tracked down a hacker working for the KGB. The hacker was
connecting from Germany through Mitre via dial-up modem and getting onto
MILNET. The book inspired a 1990 PBS NOVA episode.[3] Even though the
technology is dated (1200 baud!) the security lessons are still quite valid.
The book is a great read if you can find it.)
Cheers!
Rich
[1] https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures
or other...
[2] https://en.wikipedia.org/wiki/The_Cuckoo's_Egg
[3] https://www.youtube.com/playlist?list=PLE64466977D55F25C
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
