Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'll defend the researchers for trying to do a managed notification. But I wonder, did they try to reach out to the major OS vendors to see if they could get them any advance warning? Or ask OpenSSL if OpenSSL knew how to get in touch with people on the down-low?


The problem with distributions is that you, in most cases, don't know who is on the other end of the security@xxx.tld email address.

Being google engineers, they should have direct contacts with Cloudflare and some other high-profile targets.


Obviously they don't just send the exploit directly in mail to a mailing list. Email, ask to talk to someone over the phone, explain the situation to that person, ask for references on prior releases being well-handled.

I want to avoid Monday morning quarterbacking, though. In hindsight the right course of action is always obvious.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: