[Development] Proposal: Change Qt's Security Policy to Full Disclosure

d3fault d3faultdotxbe at gmail.com
Fri Oct 19 19:10:05 CEST 2012


On Fri, Oct 19, 2012 at 9:48 AM, Alexis Menard <alexis at webkit.org> wrote:
> First you should let more than a day for people to answer.
>

Waited 11 days in the other thread...

> Secondly I disagree with your statement and using the same link
> (Debian) you sent let me quote something else :
>
> "A: Once the security team receives a notification of an incident, one
> or more members review it and consider its impact on the stable
> release of Debian (i.e. if it's vulnerable or not). If our system is
> vulnerable, we work on a fix for the problem. The package maintainer
> is contacted as well, if they didn't contact the security team
> already. Finally, the fix is tested and new packages are prepared,
> which are then compiled on all stable architectures and uploaded
> afterwards. After all of that is done, an advisory is published." [1]
>

Weird that Debian contradicts themselves, but hardly relevant. Plenty
of projects use responsible disclosure... but that is NOT an argument
in favor of it. Lots of projects are also insecure, get it?

> Now let's say someone found a security flaw in Qt, report the attack
> vector and we blindly publish it with the fix not yet in work. What
> happen if somebody in the meantime make a proper with bad intention
> and spread it over? Millions of products run Qt. Then we don't have
> anything to provide to help our user it's too late. When we put the
> exploit public, there should already be a patch committed and
> announcement made so people can update their Qt before it gets too
> late.
>

Fix'd:

> Now let's say someone found a security flaw in Qt, report the attack
> vector and we sit on it for a week or two. What
> happen if somebody in the meantime leaks that vulnerability with bad intention
> and spread it over? Millions of products run Qt. Then we don't even
> give our users the option of shutting down their vulnerable systems
> until a fix can be delivered. They are sitting in the dark waiting for
> a fix to an exploit they don't even know exists (but the crackers certainly do!)


> When we put the
> exploit public, there should already be a patch committed and
> announcement made so people can update their Qt before it gets too
> late.

That is an impossible requirement without extending the window in
which an vulnerability can be exploited.

d3fault



More information about the Development mailing list