Vulnerability Disclousure Pratices in Open-Source Systems

A lot of discussion has been done worldwide about the disclousure (or not) of new information systems vulnerabilities.

First we have people who like full-disclousure (bug-details, including how to explore it and an exploit for it), in the other hand, who doesn’t agree on the vulnerability disclousure (need the disclousure of patches, not the details of what bug it corrects).

This kind of idea facilitates the attackers’ sucess (they just need to verify the differences between a system and the patched version of this system, using bindiff tools to help in this process). The users, who don’t need to really update systems (just update when a security flaw exists not just because an update exist) can’t know when is secure not update the system (so, let’s sell more systems…).

My first blog entry does not try to discuss it, but discuss this position:

“The policy of the FreeBSD Security Team is that local denial of service bugs not be treated as security issues; it is possible that this problem will be corrected in a future Erratum”

Interesting to see this kind of answer for a security problem in the system, mainly when the bug can be exploited (yeah, it can be exploited).

But, local denial of service is not a problem? Hum, sorry for hosting companies who uses FreeBSD!!


Rodrigo Rubira Branco (BSDaemon).