A fuzzy issue of responsible disclosure

Posted Aug 17, 2022 18:32 UTC (Wed) by NYKevin (subscriber, #129325)
In reply to: A fuzzy issue of responsible disclosure by anselm
Parent article: A fuzzy issue of responsible disclosure

It should probably also be emphasized that this is a Four Freedoms issue. Fuzzing a program is expressly protected under freedoms 0 and 1 (i.e. "run the program as you wish, for any purpose" and "study how the program works"). Communicating the results of a fuzzer run is *technically* not within the literal wording of freedom 3 ("distribute copies of your modified versions to others") but it's obviously within the spirit of the freedom.

In other words: If you don't want people to fuzz your software, then you should not make free software in the first place. You don't have to read their bug reports, and you can nicely ask them to pre-triage or to take other reasonable steps, but ultimately, the user has an absolute right to fuzz the software and tell anyone who will listen about the bugs they find.

A fuzzy issue of responsible disclosure

Posted Aug 17, 2022 19:41 UTC (Wed) by pebolle (guest, #35204) [Link]

> the user has an absolute right to fuzz the software and tell anyone who will listen about the bugs they find.

Exactly!

Why does this even needs to be stated? It wouldn't be Free Software if we're not allowed to use it for whatever reason we fancy. Like noticing it's prone to certain crashes.

I seem to remember the OpenBSD developers rejecting the notion of responsible disclosure. If I remember correctly, my sympathy for their position just increased a bit.

A fuzzy issue of responsible disclosure

Posted Aug 25, 2022 2:16 UTC (Thu) by milesrout (subscriber, #126894) [Link]

You've made a classic error: confusing the question of what people are *legally entitled* to do with free software and the question of what is appropriate and acceptable conduct in the free software community. Nobody makes this mistakes any more with forks: the ability to fork is one of the four freedoms *explicitly*, but it is also regarded by most as hostile---a last resort, when friendly communication has broken down. Why, then, knowing this, do people continue to confuse these two completely different things?

Nobody is saying anyone is *legally prohibited* from fuzzing free software. The discussion is not even about fuzzing, it is about *communication* of the *results* of fuzzing, and how it can be done in a way that does not cause burnout and frustration from developers, while recognising that fuzzers are reporting bugs, which is something that, at least in the abstract, ought to be encouraged.