On Jul 30, 2013, at 12:01 AM, Antoine Pitrou <solip...@pitrou.net> wrote:
> Donald Stufft <donald <at> stufft.io> writes: >> >> I have zero qualms about releasing a full disclosure along with working > exploits >> into the wild for a security vulnerability that people block me on. If I'm > unable >> to rectify the problem I will make sure that everyone *knows* about the > problem. > > I don't know what I'm supposed to infer from such a statement, except that I > probably don't want to trust you. You might think that "publish[ing] working > exploits into the wild" is some kind of heroic, altruistic act, but I think > few > people would agree. No, this is the standard for security researchers. If the vendor ignores the reported exploit for long enough, they go public and try to make sure users understand the risks and how to mitigate them in the time it takes the vendor to fix it. --Noah
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
