Vulnerability Disclosures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> > I wanted to suggest that when notifying of new vulnerabilities, in addition
> to the severity level, information is also provided about how widespread the
> issue is expected to be.

I'd be concerned about doing that.  While this one seemed pretty rare -- only folks running a release less than 30 days old in production -- as a general rule, it's impossible to tell.  For example, we THINK that PSK isn't used much, but we have no idea -- it's real popular in the Internet of Things, for example.  It seems safer to say nothing, then to say something misleading or wrong.

We'd like to give as much information as possible, but not enough to expose the vulnerability exploit and not anything that could be misleading.  It's a very hard point to triangulate.

	/r$



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux