Understandable
Understandable
Posted Jun 26, 2025 7:02 UTC (Thu) by chris_se (subscriber, #99706)In reply to: Understandable by wtarreau
Parent article: Libxml2's "no security embargoes" policy
Also note that the embargo stuff is kinda backwards now: initially it was always the maintainers of the software (often proprietary) who requested embargoes and didn't want security researchers to publish, in order for them to be able to fix it first. And I remember that this was even a hotly debated topic not too long ago (keywords "responsible disclosure" vs. "full disclosure"). The fact that embargoes are now requested by the security reporters is a perversion of the entire process.
I don't begrudge security researchers wanting to earn money with their job, it just shouldn't be at the expense of the maintainers and users of the software they are analyzing.
> These days I almost never accept embargoes either on my projects. I consider that the standard rule is no embargo, and that when it's really critical (i.e. about once a year), anyway, each time it's different and each time you find a good reason for breaking your own rules, thus in this case you can make an exception and accept an embargo of the suitable time (including waiting for a distro maintainer to be back at work etc). So I prefer to say "no to embargoes unless *I* consider the case special enough to derogate to that rule". Then this is negotiated with those I'm relying on and we can collectively act for the best of our users. For now this has simplified our task (maintainers and distro packagers), significantly reduced the overhead caused by this ridiculous theater and resulted in delivering important fixes very quickly to exposed users.
Fully agree with that sentiment. And once security fixes are out, there's always the time between the fixes being out and them being installed, so even with an embargo there will always be a window in which some systems will be potential subjects to exploitation.
Posted Jun 26, 2025 17:13 UTC (Thu)
by wtarreau (subscriber, #51152)
[Link] (1 responses)
That's indeed a very good observation which just reminded me old memories of when that was still the case! This clearly illustrates the perversion of this recent situation! I think it has shifted very slowly without anyone noticing...
> I don't begrudge security researchers wanting to earn money with their job, it just shouldn't be at the expense of the maintainers and users of the software they are analyzing.
Exactly!
Posted Jun 27, 2025 12:25 UTC (Fri)
by corsac (subscriber, #49696)
[Link]
I respectfully disagreed to prevent all publication before the conference. It doesn't really make sense and is not really needed in the general case. I can sympathize a bit for the "grand reveal" effect where you drop a nice vulnerability in front of a large audience at a security conference (I might have done a bit of that myself in the past), but in reality you don't lose anything by presenting the *work* you did to discover that, the thought process, and maybe the work you did with upstream and downstreams and other partners to actually fix the vulnerability (some researchers do that).
So yeah, at least for vulnerabilities discovered after some *real work* by security researchers, I think it's just fine to politely decline an embargo, fix the vulnerability publicly and give credit right now. And the researchers can refer to the advisory when doing their talk.
If the success of that talk only relies on the fact the vulnerability will be disclosed live, then it's likely not that interesting to present it at all.
Understandable
Understandable