[Ksummit-discuss] [MAINTAINERS SUMMIT] Handling of embargoed security issues

Jiri Kosina jikos at kernel.org
Tue Sep 11 08:20:23 UTC 2018


On Mon, 10 Sep 2018, Thomas Gleixner wrote:

> Looking at SSBD/L1TF only and ignoring the Meltdown/Spectre disaster (which
> was completely FUBARed by Intel), having something like this in place could
> have certainly solved the main gap which we had. We were able to
> communicate freely between the informed parties and their allowed to know
> kernel developers, even accross vendors. 

Agreed, this worked pretty well this time.

> But there was no simple way to bring in anybody else. It tooks us almost 
> 2 months to get GregKH on board, but there was no way to talk to e.g. 
> the BPF folks in time.

But this was what has caused real pain indeed. Do we know / can it be 
publicly said what exactly was the issue in those cases? Was it perhaps 
that those people were not employed by a company the disclosing party had 
a NDA in place already (like it probably had with all the involved 
vendors, etc)?

Thanks,

-- 
Jiri Kosina



More information about the Ksummit-discuss mailing list