On Tue, Jun 18, 2019 at 04:55:35PM -0700, Gordon Tetlow wrote: > On Tue, Jun 18, 2019 at 05:34:32PM -0400, grarpamp wrote: > > https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5599 > > NFLX-2019-001 > > > > Date Entry Created: 20190107 > > Preallocated to nothing? > > Or witheld under irresponsible disclosure thus keeping > > users vulnerable to leaks, parallel discovery, and exploit > > for at least five months more than necessary, and > > unaware thus unable to consider potential local mitigations? > > Other than the inappropriate tone, there is a reasonable question here. > MITRE allocates blocks of CVEs to FreeBSD as a CNA. We can then decide > when to assign and disclose them. The 2019-01-07 date is when MITRE > allocated a block of CVEs to FreeBSD, not when they are assigned to an > issue. We generally get a block in the beginning of each year. > > If you would like to have an actual discussion around disclosure > policies, I'm happy to have one, but by your tone above, I don't think > there is any reason to do so. It seems unlikely you are open to > debate in a fashion that would be productive.
Hey Gordon, Thank you for your reply, and especially for the respectful tone. I hope to drive a further positive discussion in the goal of enhanced transparency. It appears that Netflix's advisory (as of this writing) does not include a timeline of events. Would FreeBSD be able to provide its event timeline with regards to CVE-2019-5599? Were any FreeBSD derivatives given advanced notice? If so, which ones? Thanks for your time, resources, and continued correspondence. Thanks again, -- Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: [email protected] GPG Key ID: 0xFF2E67A277F8E1FA GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2
signature.asc
Description: PGP signature
