Hacker News new | past | comments | ask | show | jobs | submit login

> Are you suggesting that people should not report remote command execution vulnerabilities when such vulnerabilities are successfully stopped by SELinux?

No, I'm suggesting that only testing on system shipping weak protection systems and poor defaults is misleading.

> Also, why do you think that seeking recognition for your efforts a bad thing?

It isn't by default, but it can become a bad thing when you overstate the importance of your finding: see my previous line in this comment and add the fact that this guy picked a cve score of 9.9 where heartbleed had "only" a 7.5 score -- but heartbleed affected pretty much everybody in the industry.




> But here’s a screenshot from the VINCE report of the initial CVSS scores, including the 9.9, being estimated by a RedHat engineer (and also reviewed by another one)

> As I said, I’m not an expert, and I think that the initial 9.9 was mostly due to the fact that the RCE is trivial to exploit and the package presence so widespread. Impact wise I wouldn’t classify it as a 9.9, but then again, what the hell do I know?

He did _not_ pick the score.


> No, I'm suggesting that only testing on system shipping weak protection systems and poor defaults is misleading.

But then he would not have found and reported the vulnerability, yet it would still exist and affect people.

Once the vulnerability was discovered it doesn’t matter if one operating system or the other has protections in place that will stop it. What matters is that the code is vulnerable and that there are people who are not protected. Proving that it is not exploitable on systems configured a certain way does not invalidate the original finding.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: