[gnutls-devel] serious bug in web site
jericho
jericho at attrition.org
Fri Feb 27 18:53:24 CET 2015
http://www.gnutls.org/security.html
On 2015/02/25 a new advisory appears, SA-2015-1, that is a cut/paste copy
of SA-2014-5 and has no CVE.
On 2015/02/27 SA-2015-1 disappears without any indication as to why, or
explanation if it was a mistake.
So on a Wednesday you say "there is a vulnerability" in a pretty important
library, then on Friday you say "just kidding" ... maybe. This is not
responsible disclosure [1]1 and represents a serious flaw in your
disclosure process.
Please be more transparent and clear with your users.
jericho
OSVDB.org
[1] Yes, 'responsible' is usually a bad term when talking 'coordinated'
disclosure, but is very applicable to this situation.
More information about the Gnutls-devel
mailing list