A Stack Clash disclosure post-mortem

Qualys first informed the distros list about this upcoming set of issues on May 3. This initial notification didn't say Stack Clash nor anything like that, but merely expressed intent to disclose the issues and concern that the list's maximum embargo duration of 14 to 19 days might not be sufficient in this case. In the resulting discussion, I agreed to consider extending the embargo beyond list policy should there be convincing reasons for that. In retrospect, I think I shouldn't have agreed to that.

For those who are curious about how the community deals with a serious vulnerability, Solar Designer's description of the embargo process around the "Stack Clash" issue (and his unhappiness with it) is worth a read. "

From: Solar Designer <solar-cxoSlKxDwOJWk0Htik3J/w-AT-public.gmane.org> To: oss-security-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8-AT-public.gmane.org Subject: Re: Qualys Security Advisory - The Stack Clash Date: Mon, 19 Jun 2017 22:39:33 +0200 Message-ID: <20170619203933.GA910@openwall.com>