A Stack Clash disclosure post-mortem

For those who are curious about how the community deals with a serious vulnerability, Solar Designer's description of the embargo process around the "Stack Clash" issue (and his unhappiness with it) is worth a read. "Qualys first informed the distros list about this upcoming set of issues on May 3. This initial notification didn't say Stack Clash nor anything like that, but merely expressed intent to disclose the issues and concern that the list's maximum embargo duration of 14 to 19 days might not be sufficient in this case. In the resulting discussion, I agreed to consider extending the embargo beyond list policy should there be convincing reasons for that. In retrospect, I think I shouldn't have agreed to that."

Full Story (comments: 3)