From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tim Deegan Subject: Re: Security discussion: Summary of proposals and criteria (was Re: Security vulnerability process, and CVE-2012-0217) Date: Mon, 9 Jul 2012 14:51:01 +0100 Message-ID: <20120709135101.GA83420@ocelot.phlegethon.org> References: <4FF93711.6020108@invisiblethingslab.com> <4FFAC0FF.6040206@invisiblethingslab.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <4FFAC0FF.6040206@invisiblethingslab.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Joanna Rutkowska Cc: Jan Beulich , Stefano Stabellini , George Dunlap , "xen-devel@lists.xen.org" , Lars Kurth , Matt Wilson List-Id: xen-devel@lists.xenproject.org At 13:31 +0200 on 09 Jul (1341840671), Joanna Rutkowska wrote: > If you're into security industry (going to conferences, etc) you > certainly know the right people who would be delight to buy exploits > from you, believe me ;) Probably most Xen developers don't fit into this > crowd, true, but then again, do you think it would be so hard for an > interested organization to approach one of the Xen developers on the > pre-disclousure list? How many would resist if they had a chance to cash > in some 7-figure number for this (I read in the press that hot > bugs/exploits sell for this amount actually)? I think the argument is that an exploit that's going to be public (and patched) in the next couple of weeks would not fetch the same kind of price as a unknown attack that can be kept for later. OTOH, I'm sure it's worth something for chance to get in early and install a rootkit, or just crash your rivals' systems for the bad publicity. I'm not sure there's an enormous difference between a leaky predisclosure list and full disclosure, but FWIW I'm in favour of (a) having a list, and (b) keeping the embargo at no more than two weeks. Tim.