On Sat, 7 Oct 2017, Rich Gray wrote:
I tried to post this as a comment to your article, but it failed with:
Sorry, I get that at times and I haven't quite worked out why yet. (it has something to do with the interaction with Fastly as the CDN for my site)
Nice. I do wonder if you should spell out what a CVE is. Sometimes you seem to use CVE as shorthand for CVE id, at other times for the CVE report itself.
Hm, yes. I'll clarify that a little. Thanks!
What sort of embargo does Mitre allow?
I honestly don't know. I've only used Mitre directly like once or twice and I haven't had any problems or discussions with them about embargos.
Mitre doesn't seem to have any proper system to know when the advisory is finally made public (they often remain as "reserved" for a long time even after having been made official) so I don't think they even know or care much for embargo period lengths.
I prefer using the distros@openwall way as it also makes the advisory actually get read by humans and often the patch(es) are tested/verified by people before we make it official so it helps us ship a better advisory and a better patch.
(Every time I hear that name, I'm reminded of Clifford Stoll's delightful 1989 book, The Cuckoo's Egg[2], The book is a great read if you can find it.)
Agreed. I've read it too! -- / daniel.haxx.se ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
