Comment by rustyhancock
14 hours ago
A curious approach, but I like it!
Wonder if this means just publishing vulnerablities without contact with curl team would be responsible (you have no other path to tell vulnerable users)
14 hours ago
A curious approach, but I like it!
Wonder if this means just publishing vulnerablities without contact with curl team would be responsible (you have no other path to tell vulnerable users)
I think very few people would consider that to be responsible disclosure. The common practice is to allow 90 days as a minimum.
I think I'd personally develop a minimal patch and then publically disclose.
I'm not sure it's be reasonable to leave an actively exploited critical bug until August. Nor would I be too interested in playing middle man or paying for support from curl to get it out.
Reminder that what you're describing is "coordinated disclosure", and that there are in fact plenty of people who consider "full disclosure" to be preferable in some or all cases.
It would certainly be irresponsible.
The responsible thing would have been to simply wait another month, considering you've been warned about the delay.
the vulnerability is there whether disclosed or not. if you find it, someone else has too. sitting on it is the irresponsible thing.
Given that most of those users will not be capable of patching it directly, no, that seems like it would be irresponsible.
Why not? Only a tiny fraction of curl user get it from the upstream website/repo. Most users get curl/libcurl from their OS/application vendor or package manager, all of them having their own maintainers. There is no reason a temporary patch couldn't be produced by them in the meantime.
Just publish early due to a documented lack of cooperation. They don’t have to answer, but you dont have to wait.
Naturally some people find that this offensive since this puts a price to that “bliss”.
Taking 1/3 of the standard time budget to get back to you isn't ideal, but it's not "a documented lack of cooperation".
And if you find something halfway through the month then oh no two weeks to reply, that's basically a standard business interaction at that point.
Why are you interpreting clear communication of a window of downtime with 2 weeks notice as a "lack of cooperation"? That's what cooperation looks like. It's not explicit but my read was that they're not even taking a vacation - they're just doing the rest of their job, a lot of which is probably going to be shipping fixes for vulnerabilities that are already triaged.
There are no "rules" for responsible disclosure. We have guidelines that we have broadly accepted, but at the end of the day whether or not you discussed responsibly is in the opinion of your peers.
There's no such thing as "responsible disclosure on a technicality". Don't be a dick, and work in good faith to keep users safe.
Wrong, but thanks for documenting how uncooperative you are.