undefined | Better HN

0 pointsmrmondo8y ago0 comments

It’s not an example of security by obscurity, it’s a straight out security flaw and bug.

If it’s not publicly known and is a security risk it is far more effective to directly contact the developers / companies security team so they can immediately work on actually protecting people by developing a patch. If they don’t respond quickly (subjective, I’d call it within 12 hours) or fail to issue a fix in a timely manor (subjective, I’d say 24 hours) then yes - go public, start by logging a bug report and link to that bug report or if you can’t - the bug number / reference.

0 comments

thomastjeffery8y ago

The fact is that the devs certainly do know about it by now, yet users do not have a fix yet. Users do, however, have a workaround, and knowledge that the security flaw exists in the first place.

Waiting for a fix before disclosing a security flaw is security by obscurity, even if it is to be replaced soon.

It is best for users to know that their system is vulnerable, and how to fix that without waiting for a system update.

mrmondoOP8y ago

> "The fact is that the devs certainly do know about it by now, yet users do not have a fix yet."

Citation needed.

> "It is best for users to know that their system is vulnerable, and how to fix that without waiting for a system update."

Stepping outside the 'tech' social bubble, most general users likely won't create a root account and password from something they see on TV or their local news site or at least not before a patch would have been released.

Further to previously provided examples:

https://www.cloudflare.com/disclosure/

https://access.redhat.com/security/team/contact

https://www.xenproject.org/security-policy.html

https://about.gitlab.com/disclosure/

https://help.github.com/articles/responsible-disclosure-of-s...

https://www.kernel.org/doc/html/v4.10/admin-guide/security-b...

https://www.drupal.org/drupal-security-team/general-informat...

https://www.cisco.com/c/en/us/about/security-center/security...

https://www.juniper.net/us/en/security/report-vulnerability/

thomastjeffery8y ago

> Citation needed.

Has there been an update released yet? I wouldn't know, I don't use OS X.

Is this the best way to report a security flaw? Of course not! Is it a bad way? No! The only bad way to report a security flaw is to not report it at all.

1 more reply

j / k navigate · click thread line to collapse

0 comments

thomastjeffery8y ago

The fact is that the devs certainly do know about it by now, yet users do not have a fix yet. Users do, however, have a workaround, and knowledge that the security flaw exists in the first place.

Waiting for a fix before disclosing a security flaw is security by obscurity, even if it is to be replaced soon.

It is best for users to know that their system is vulnerable, and how to fix that without waiting for a system update.

mrmondoOP8y ago

> "The fact is that the devs certainly do know about it by now, yet users do not have a fix yet."

Citation needed.

> "It is best for users to know that their system is vulnerable, and how to fix that without waiting for a system update."

Further to previously provided examples:

https://www.cloudflare.com/disclosure/

https://access.redhat.com/security/team/contact

https://www.xenproject.org/security-policy.html

https://about.gitlab.com/disclosure/

https://help.github.com/articles/responsible-disclosure-of-s...

https://www.kernel.org/doc/html/v4.10/admin-guide/security-b...

https://www.drupal.org/drupal-security-team/general-informat...

https://www.cisco.com/c/en/us/about/security-center/security...

https://www.juniper.net/us/en/security/report-vulnerability/

thomastjeffery8y ago

> Citation needed.

Has there been an update released yet? I wouldn't know, I don't use OS X.

Is this the best way to report a security flaw? Of course not! Is it a bad way? No! The only bad way to report a security flaw is to not report it at all.

1 more reply

j / k navigate · click thread line to collapse