On Fri, Dec 26, 2008 at 2:19 PM, <[email protected]> wrote: > Vulnerabilities _do_ constitute an active risk regardless of whether they > are disclosed or not, as people looking for them can (and will) find them > eventually, and once they have, the details will spread explosively. > Exposing them before they are fixed at least gives users the chance to > defend themselves before this happens, even if that means closing down > systems.
I'm not sure this follows. There's a difference between exposing enough details to exploit, reproduce, and fix a vulnerability, and providing a way to prevent or mitigate possible exploits. I think we're just talking about the former, i.e. to whom LL can give details like "there exists a buffer overflow near llhippos.cpp:123, triggered by sending a malformed LLSomeMessage". Disclosing the vulnerability to everyone like that will not necessarily help with defense, and may likely hinder it by decreasing the time one has to implement workarounds. On Fri, Dec 26, 2008 at 2:40 PM, Gordon Wendt <[email protected]> wrote: > If it's > something without a quick fix that can be fixed or even just mitigated > client side I trust Nicholaz and the other 3rd party viewer makers more than > LL to get a good patch out to their users. I'm confused at the distinction here. If I take "without a quick fix" to mean something like "LL thinks the ETA for the fix is far enough in the future that sending separate disclosure to third-party viewer maintainers makes sense", this sounds a lot like an early disclosure group to me. What's the difference? Celierra _______________________________________________ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/SLDev Please read the policies before posting to keep unmoderated posting privileges
