possible rsync validation dos vuln

Nick Hilliard nick at foobar.org
Fri Oct 29 12:36:54 UTC 2021


Barry Greene wrote on 29/10/2021 13:15:
> That only happens if the team has the time to get the fix into the code, 
> tested, validated, regressed, and deployed. I would say this is a 
> classic example of “ego” to publish overruling established principles.
> 
> The University of Twente should explore requiring classes for 
> responsible disclosure.
> 
> NCSC, it seems you threw out your own policy:
> 
> "The NCSC will try to resolve the security problem that you have 
> reported in a system within 60 days. Once the problem has been resolved, 
> we will decide in consultation whether and how details will be published.”
> 
> I would have expected you to council the researchers on responsible 
> disclosure principles.

Indeed + also manage the vendor disclosure process in a more 
comprehensive / structured way.

An interesting and worthwhile outcome here would be a presentation on 
how the set of inputs into the sausage factory produced the mess that's 
going to be served for lunch on monday.  I.e. let's use this as an 
opportunity to learn from the mistakes that were made here.

Nick


More information about the NANOG mailing list