On Sat, Jun 05, 2021 at 11:12:49AM -0700, SyzScope wrote: > Hi Greg, > > > I do not recall that, sorry, when was that? > We sent an email to security@xxxxxxxxxx from xzou017@xxxxxxx account on May > 20, the title is "KASAN: use-after-free Read in hci_chan_del has dangerous > security impact". So you used a different email address and we were supposed to know how to correlate between the two? How? > > Is that really the reason why syzbot-reported problems are not being > > fixed? Just because we don't know which ones are more "important"? > > > > As someone who has been managing many interns for a year or so working > > on these, I do not think that is the problem, but hey, what do I know... > > Perhaps we misunderstood the problem of syzbot-generated bugs. Our > understanding is that if a syzbot-generated bug is exploited in the wild > and/or the exploit code is made publicly available somehow, then the bug > will be fixed in a prioritized fashion. If our understanding is correct, > wouldn't it be nice if we, as good guys, can figure out which bugs are > security-critical and patch them before the bad guys exploit them. The "problem" is that no one seems willing to provide the resources to fix the issues being found as quickly as they are being found. It usually takes an exponentially longer amount of time for a fix than to find the problem. Try it yourself and see! Fix these issues that your tool is somehow categorizing as "more important" and let us know how it goes. Or is just fixing found bugs somehow not as much fun as writing new tools? good luck! greg k-h