Embargoes
Embargoes
Posted Jul 4, 2025 17:36 UTC (Fri) by anton (subscriber, #25547)In reply to: Embargoes by wtarreau
Parent article: Libxml2's "no security embargoes" policy
Sadly, this has always been how embargoes work.For a vulnerability (i.e., not a backdoor), the idea is that the black hats do not know the vulnerability yet, and they will learn about it when somebody publishes a bugfix; so the embargo synchronizes the publication of the bugfix, and hopefully most users have upgraded before the black hats can exploit it.
The situation is different for a back door: the black hats already know about it. So the embargo only means that some (or maybe all) affected users are exposed to the back door for longer.
Posted Jul 4, 2025 17:52 UTC (Fri)
by mb (subscriber, #50428)
[Link] (1 responses)
Posted Jul 5, 2025 16:10 UTC (Sat)
by anton (subscriber, #25547)
[Link]
So no, even with information about the back door being public knowledge, only the back door installers can exploit it. Case in point: From what I have read, no security researcher has managed to enter through the xz backdoor yet.
Embargoes
If detailed information about a back door is published without a fix, then *everybody* can start to exploit it.
No. Installing a backdoor requires a lot of effort, and the ones installing the backdoor have many incentives to secure the access to the backdoor: In particular, they don't want random attackers to use the backdoor for their purposes which may draw attention to the back door or may prevent access directly (e.g., if the random attackers encrypt the target system).
Embargoes