Hacker News new | past | comments | ask | show | jobs | submit login

EDIT: was not clear to me that Lumio has done only the writeup and not the original researchers finding the vulneraility mea culpa Lunasec, you're doing god's work!

Probably there isn't a broad agreement on ethical standards related to vulnerability disclosure but is it really still a net benefit when people disclose vulnerabilities without even them knowing the implications, that are clearly not patched, let alone giving users of the software time to do anything about it.

I feel we have gotten pretty far away from Tavis Ormandy working with Cloudflare to clean up the issue before anything is published.

Do I misunderstand something or this is clearly the type of issue that will be misused widely?




This was fixed and discussed on GitHub a week ago, so the cat was somewhat out of the proverbial bag.

I would not blame the people who wrote easier to understand blog posts which are going to need circulation to half of the enterprise IT code mills in the world, and note that dang changed this post’s URL from the GitHub issue which is harder to understand.


That's fair my misunderstanding in that case I'm questioning the people publishing the PoC


It'd be a bit hard to keep this exploit a secret once the patch was on Github.


While that is definitely a good theoretical argument but in practice it seem to be the case that most of the (non 0day) vulnerabilities that get exploited in the wild are the ones that have solid public exploits, and it does also seem to have effect on how fast it starts to be exploited.

Even if that was true, knowing that a number of large projects are using this lib I'm not sure if it is unreasonable to ask to at least make an attempt to reach out so they can asses their exposure.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: