[Development] Proposal: Change Qt's Security Policy to Full Disclosure

d3fault d3faultdotxbe at gmail.com
Tue Oct 23 23:01:01 CEST 2012

On 10/23/12, Donald Carr <sirspudd at gmail.com> wrote:
> life is clearly not a popularity contest for d3fault.

rofl thank you for that compliment. better than Charley telling me I'm
smart repeatedly -_-

I agree completely!!! It's just that the
recommended/officially-endorsed way of reporting security
vulnerabilities is to the private mailing list.
security at qt-project.org should be official/public,
security-private at qt-project.org should be OFFERED, but not the
'official' way. The analyst who discovers the vuln can choose whatever
he wants. He can even sell it to crackers... lol.

qt-project.org/security/index.html should read something like this:

If you discover a vulnerability, please report it to
security at qt-project.org and we'll take care of the rest. You can of
course join in on the discussion and suggest fixes etc, as Qt is a

If you think the vulnerability would cause harm being publicly
disclosed, you can instead send it to security-private at qt-project.org
--- but remember... just who are those people with access to that
list, and can you trust them to not un/intentionally leak your

Emphasis added.


More information about the Development mailing list