> -----Original Message----- > From: Roland Dreier [mailto:roland@xxxxxxxxxxxxxxx] > Sent: Thursday, April 02, 2015 7:33 PM > To: Shachar Raindel > Cc: oss-security@xxxxxxxxxxxxxxxxxx; <linux-rdma@xxxxxxxxxxxxxxx> > (linux-rdma@xxxxxxxxxxxxxxx); stable@xxxxxxxxxxxxxxx > Subject: Re: CVE-2014-8159 kernel: infiniband: uverbs: unprotected > physical memory access > > On Thu, Apr 2, 2015 at 12:52 AM, Shachar Raindel <raindel@xxxxxxxxxxxx> > wrote: > > This is a common practice in the security industry, called > > "responsible disclosure." > > > > Following the kernel security bugs policy [1], we reported it to > > the kernel security contacts few days before making the issue public. > > Few days after issue became public, we published a clear report to all > > of the relevant mailing lists. > > Isn't the point of responsible disclosure to delay disclosure until a > fix is in place? What's the point of sending a notification to the > kernel security team if you're going to disclose publicly before the > upstream kernel is fixed? > We delayed the disclosure until most major Linux vendors released a fix for the issue, give or take in synchronization. The Linux security contact list only guarantee secrecy for 7 days. We therefore contacted them only close to the date at which fixes were going to be released, to follow their expectations for period of time between contact and public disclosure. Thanks, --Shachar ��.n��������+%������w��{.n�����������ܨ}���Ơz�j:+v�����w����ޙ��&�)ߡ�a����z�ޗ���ݢj��w�f