[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security discussion: Summary of proposals and criteria (was Re: Security vulnerability process, and CVE-2012-0217)

At 13:31 +0200 on 09 Jul (1341840671), Joanna Rutkowska wrote:
> If you're into security industry (going to conferences, etc) you
> certainly know the right people who would be delight to buy exploits
> from you, believe me ;) Probably most Xen developers don't fit into this
> crowd, true, but then again, do you think it would be so hard for an
> interested organization to approach one of the Xen developers on the
> pre-disclousure list? How many would resist if they had a chance to cash
> in some 7-figure number for this (I read in the press that hot
> bugs/exploits sell for this amount actually)?

I think the argument is that an exploit that's going to be public (and
patched) in the next couple of weeks would not fetch the same kind of
price as a unknown attack that can be kept for later.

OTOH, I'm sure it's worth something for chance to get in early and
install a rootkit, or just crash your rivals' systems for the bad

I'm not sure there's an enormous difference between a leaky
predisclosure list and full disclosure, but FWIW I'm in favour of 
(a) having a list, and (b) keeping the embargo at no more than two weeks.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.