How dangerous is releasing CVEs before developing fixes?

OP was screaming about half the Internet being brought down, and whole countries disappearing off the map, because somebody did not follow standard cybersecurity analysis procedures correctly!
Click to expand...
I think that is a slight exaggeration. I was questioning the wisdom of releasing information about security flaws in software before putting mitigation in place and asking how much danger might be caused to infrastructure such as banking, power grids etc.

I also suggested that if a terrorist group or an espionage agency used the techniques disclosed to wreak havoc with such a critical system law enforcement agencies would be likely to come after the person releasing the information on the grounds he or she had aided the action (however the threat actor actually discovered it) because in many countries it is a serious crime to provide information which might be useful to a terrorist etc.

It is a sad reality that when something serious enough goes down a scapegoat must be found and I wouldn't want to risk being that scapegoat, which is what I think the developer has unwittingly done.

Fortunately, nothing untoward seems to have happened yet and the flaws have been patched, but I still think it was a foolish thing to do.

Frankly, I wish I'd never raised the issue because it seemed to degenerate into a pointless point-scoring flame war.
 
kjpetrie : There's kind of a difference between (paranoia / belief in conspiracy theories) and approaching information in a level-headed manner... At this rate, CIA just might hire you to figue out the schedule of Kim Jong Un's personal chef, and what weird spice names can be confused for poisons that were supposed to used in the plot to assassinate Jeffrey Epstein's father-in-law. It's just a matter of using those vulnerabilities that you mentioned to gain access to a server in a military base in North Korea...

But seriously, OP's comments do betray quite a disconnect from reality... people (who actually know a thing or two) tried to explain, but failed. 😩
 
I have a problem with the idea from the beginning, and now I know what it is. The question if it is OK to submit a CVE before having a fix implies that the author has some responsability for the end product that uses his lib. He does not.

Saying "There is a problem, here is my corrected version" is all he is responsible for. Someone using the lib in mission critical, outward facing projects should hurry up and fix that, meaning his architecture. You get that thing free of charge, and that is all the service you are entitled to.
 
Crivens said:
I have a problem with the idea from the beginning, and now I know what it is. The question if it is OK to submit a CVE before having a fix implies that the author has some responsability for the end product that uses his lib. He does not.
Click to expand...
He said he doesn't want to fix it though, rather then saying that he didn't manage to fix it within the 90 days grace period enumeration authorities usually ask security analysts to grant project upstream to come up mitigations prior to publishing a CVE. So him publishing the CVE was the right thing to do, as doing so alerts the community and either causes someone else to provide a fix, or over a longer term, the community to divert to other xml handling libraries that are better maintained.
 
You must log in or register to reply here.
Back
Top