[Development] Proposal: Change Qt's Security Policy to Full Disclosure

d3fault d3faultdotxbe at gmail.com
Tue Oct 23 23:01:01 CEST 2012


On 10/23/12, Donald Carr <sirspudd at gmail.com> wrote:
> life is clearly not a popularity contest for d3fault.

rofl thank you for that compliment. better than Charley telling me I'm
smart repeatedly -_-



I agree completely!!! It's just that the
recommended/officially-endorsed way of reporting security
vulnerabilities is to the private mailing list.
security at qt-project.org should be official/public,
security-private at qt-project.org should be OFFERED, but not the
'official' way. The analyst who discovers the vuln can choose whatever
he wants. He can even sell it to crackers... lol.

qt-project.org/security/index.html should read something like this:


If you discover a vulnerability, please report it to
security at qt-project.org and we'll take care of the rest. You can of
course join in on the discussion and suggest fixes etc, as Qt is a
COLLABORATIVE PROJECT.

If you think the vulnerability would cause harm being publicly
disclosed, you can instead send it to security-private at qt-project.org
--- but remember... just who are those people with access to that
list, and can you trust them to not un/intentionally leak your
vulnerability?



Emphasis added.

d3fault



More information about the Development mailing list