On Thu, Apr 2, 2015 at 12:52 AM, Shachar Raindel <raindel@xxxxxxxxxxxx> wrote: > This is a common practice in the security industry, called > "responsible disclosure." > > Following the kernel security bugs policy [1], we reported it to > the kernel security contacts few days before making the issue public. > Few days after issue became public, we published a clear report to all > of the relevant mailing lists. Isn't the point of responsible disclosure to delay disclosure until a fix is in place? What's the point of sending a notification to the kernel security team if you're going to disclose publicly before the upstream kernel is fixed? - R. -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html