Show notes
A week ago the Copy Failvulnerability came out, and Hyunwoo Kim immediately realized that thefixes were insufficient, sharing a patch thesameday. In doing this he followed standard procedure for Linux,especially within networking: share the security impact with a closedlist of Linux security engineers, while fixing the bug quietly andefficiently in the open. His goal was that with only the raw fixpublic, the knowledge that a serious vulnerability existedcould be "embargoed": the people in a position to address it know, butthey've agreed not to say anything for a few days.
Someone else noticedthe change, however, realized the security implications, and sharedit publicly. Since it was now out, the embargo was deemed over,and we can now see the fulldetails.
It's interesting to see the tension here between two differentapproaches to vulnerabilities, and think about how this is likely tochange with AI acceleration.
On one side you have "coordinated disclosure" culture. This isprobably the most common approach in computer security. When youdiscover a security bug you tell the maintainers privately and givethem some amount of time (often 90d) [...]
---
First published:
Source:
---
Narrated by TYPE III AUDIO.

