[Development] Proposal: Change Qt's Security Policy to Full Disclosure

Holger Hans Peter Freyther holger at freyther.de
Sun Oct 21 09:58:19 CEST 2012


On Fri, Oct 19, 2012 at 11:19:40AM -0700, d3fault wrote:
> Mathematical Truth:
> 
> It is better:
> To be vulnerable and know it (so you can shut down your machine or
> unplug dat ethernet cable).

most secure == always off. But that is probably not practical. But then
again security is not a state but a process. ;)


> Than:
> To be vulnerable and not know it (especially when there's a growing
> number of others that do).

If you take a look here[1] it takes about a year until active exploitation
is discovered and exploitation increases after disclosure. So this "growing
number of others" is mostly void in your argumentation. Exploitation happens
after the public disclosure and before people are ready to apply the patches.

You will not change that right now responsible disclosure is in place. What
you can help with is improving the process. E.g. if somebody imports 3rdpart
software into Qt, he should be responsible for updating this code in time,
there should probably also be a new release of Qt with the last stable + the
3rdpart security fix.



http://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf



More information about the Development mailing list