[Development] Proposal: Change Qt's Security Policy to Full Disclosure

d3fault d3faultdotxbe at gmail.com
Tue Oct 23 09:28:34 CEST 2012


> You haven't earned the trust of the people in charge.
>
> The current security team members have earned the trust of the people in
> charge.
>
> No contradictions there.

Why do they need to trust me?
Because the information is dangerous.

By admitting that the information is dangerous, they are admitting
that having + holding the information is dangerous (even for them!!!).

By holding onto the information, they are putting us all in danger.

Thus, contradiction.

Full Disclosure levels the playing field.
It gives a slight advantage to script kiddies, yes...
...but it gives us a [different] much larger advantage: Knowledge.

"Knowledge" is useful for shutting down to thwart ongoing zero day
attacks... and also the mere availability of the knowledge prevents
entirely the analyst leakage (or anal. leakage for short :-P) scenario
I've described countless times.

d3fault

Other:

The public disclosure increases the incentive for a fix to be
researched/discovered/published/audited(more eyes = less bugs), but
this argument is weak so I probably shouldn't even have mentioned it.

not to mention: the people in the security team are the people in
charge -_-. flawed logic is flawed.

You're like the priests in the early days hiding information (the
ability to read and write) and trying to convince us it's for our own
good. Time will tell who is right. su time; echo "d3fault is right";
exit;



More information about the Development mailing list