>> >> The advisory was about bug being exploited in the wild, so, yes. >> That was covered well in Roger's last email. > > I'm aware, I did read his email. I was just under the impression that > you publish advisories about *vulnerabilities*, not about *exploits*. > But perhaps you're teaching me (and the rest of the community) > something new here! ;-)
The purpose of an advisory is to alert users about various kinds of information. We covered the vulnerability and the exploit details that we knew at various times. We first published a blog post that detailed that we didn't yet have all information about what we'd heard rumored. We then published a second blog post detailing the new information. We also sent an email about it. I'd say that all three are advisory in nature - they literally advise users of what we know. The final email to tor-announce was an advisory about a specific vulnerability that was being exploited in the wild. > >> >> I'd encourage you to read Roger's email (again, or for the first >> time). Specifically the part where we encouraged users to upgrade, >> notified every browser user that there was a security update and so >> on. > > That's pretty great, but it doesn't count as an advisory, no matter > how hard you seem to want it to. THIS is an advisory: > https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html > A CVE is what most consider the standard way of discussing an issue regardless of format or medium. We could probably improve by referencing CVEs of Mozilla's ESR security page rather than simply referencing the MFSA alone. As it is we referenced mfsa2013-53 but we didn't directly reference CVE-2013-1690. Part of the reason is that the MFSA is more specific than the CVE which details the most likely information relevant to a Firefox/Tor Browser user. All the best, Jacob -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
