[riot-notifications] [RIOT-OS/RIOT] nanocoap: options buffer overflow (#10753)

Kaspar Schleiser notifications at github.com
Fri Jan 11 11:55:03 CET 2019


Thanks for the report and proposed fix.

Fixed by #10754.

> I personally prefer full disclosure for reporting such issues. Especially since #10749 hasn't been resolved yet. I also believe that doing full disclosure including documentation of an exploit worked quite well to get #10739 fixed in time. Besides, I didn't want to sit on this any longer and full disclosure is way better than no disclosure at all.

IMO you should allow projects to do their own security policy. Obviously you were not scared of the effects of disclosing this bug via unencrypted mail to security at riot-os.org, so why didn't you disclose it there, and what has #10749 got to do with it?

By disclosing this as you did, you're effectively side-stepping some policies we've put in place to make attacker's life harder. E.g., we don't call the issues "OMG 0day buffer overflow", but maybe fix it using a PR called "fix options_count check", in order to get people to actually spend time checking bug fixes for remote exploitability instead of advertising them as such.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/RIOT-OS/RIOT/issues/10753#issuecomment-453480232
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riot-os.org/pipermail/notifications/attachments/20190111/3bd09961/attachment.html>


More information about the notifications mailing list