Bravo! -----Original Message----- From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Laszlo Ersek Sent: Thursday, July 30, 2015 9:58 AM To: Blibbet; edk2-de...@ml01.01.org Cc: Peter Jones Subject: Re: [edk2] today's US CERT UEFI advisory
On 07/30/15 17:49, Blibbet wrote: > FYI, in case any OEM's missed today's US-CERT UEFI vulnerability notice: > > http://firmwaresecurity.com/2015/07/30/us-cert-bios-vulnerability-note > -vu577140/ > > Remember that any TianoCore-based bugs may be in your platorm: > > https://twitter.com/XenoKovah/status/623483244890189824 > > Can anyone clarify if the code in this vulnerability is in TianoCore > or external vendor-specific? I think both sides, the firmware researcher side, and the firmware vendor side, have ample room for improvement in their behavior. The researcher side should tone down their repulsive sensationalism, selling each security bug to the public as the end of the world, and showing off themselves as the most leet security startup ever, seeking to score hefty $$$ gigs right after. Responsible disclosure exists. The vendor side should get their act together, and react to, and *address*, responsible disclosures in a *timely* manner. Among other things, this requires: - spelling out CVE numbers in the subject lines of edk2 commit messages, when edk2 is affected and some patches address those issues, - publicly release *plain text* advisories, rather than privately circulated PDF files that contain the problem description as embedded image files, with (probable) watermarks embedded as well. Edk2's track record has been absolutely deplorable in this regard. But, as I said, both sides have a lot of room for improvement; the hype generated by some white hats around each single discovery is hugely childish and unprofessional too. (Yes, I have discovered, reported, and fixed vulnerabilities too, in various projects. I have never tried to exploit them though, so maybe that's why I'm so unexcited.) Laszlo _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
