LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Linux 2.6.30 exploit posted

Linux 2.6.30 exploit posted

Posted Jul 17, 2009 23:35 UTC (Fri) by cde (guest, #46554)
Parent article: Linux 2.6.30 exploit posted

Hi Brad,

Congrats on your exploit :) You did the right thing by releasing it right away, the OSS community owes you one.

Cheers,

Christophe

(Log in to post comments)

Linux 2.6.30 exploit posted

Posted Jul 17, 2009 23:41 UTC (Fri) by cde (guest, #46554) [Link]

I mean, releasing the details of this vulnerability without sitting on it.

Linux 2.6.30 exploit posted

Posted Jul 18, 2009 10:53 UTC (Sat) by nix (subscriber, #2304) [Link]

Or (the worst case, which has been known although I'm sure Brad has never
done it) selling it to the blackhats instead of disclosing it. For all
that people whine about full disclosure, it's always got to be better than
*that*.

Linux 2.6.30 exploit posted

Posted Jul 18, 2009 17:46 UTC (Sat) by spender (subscriber, #23067) [Link]

Indeed. Also, in case you weren't aware, the 'shady' purchasers (organized crime) of exploits pay out a lot more than the legitimate purchasers.
Also, while some legitimate purchasers do notify the vendor of the vulnerability, others do not. Customers of that legitimate purchaser get a copies of fully-working exploits (not PoCs) for vulnerabilities that are unfixed.

Keep that in mind.

-Brad

Then this vulnerability was only published because it was "spoiled goods"?

Posted Jul 20, 2009 5:38 UTC (Mon) by khim (subscriber, #9252) [Link]

Customers of that legitimate purchaser get a copies of fully- working exploits (not PoCs) for vulnerabilities that are unfixed.

Does it mean that vulnerabilities like discussed one are only ever disclosed when they can not be sold? This time fix was introduced before the exploit (sure it was not included in -stable relase, but it was in git-head already), so it was impossible to sell it to "legitimate purchaser"?

Then this vulnerability was only published because it was "spoiled goods"?

Posted Jul 20, 2009 11:20 UTC (Mon) by nix (subscriber, #2304) [Link]

Well, since he just said elsewhere in this thread that's he's going to start selling RH vulnerabilities, one must assume the answer, this time, was no, but in future will be yes.

Linux 2.6.30 exploit posted

Posted Jul 20, 2009 20:42 UTC (Mon) by SEJeff (subscriber, #51588) [Link]

So where does 3Com's ZDI (Zero-Day Initiative) lay? On the good or bad side?

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds