incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <>
Subject Re: Vulnerability fixed in LibreOffice
Date Mon, 10 Oct 2011 12:19:32 GMT
On Mon, Oct 10, 2011 at 8:06 AM, Rory O'Farrell <> wrote:
> On Mon, 10 Oct 2011 07:45:34 -0400
> Rob Weir <> wrote:
>> Security reports come from security
>> reporters.  Can you tell us whether "Red Hat, Inc. security
>> researcher Huzaifa Sidhpurwala" is a TDF member and whether he
>> was reporting this issue under instructions from TDF?
> Does it matter?  A careful security report will provide
> information on how the problem arises; it would be foolish
> for anyone to immediately swing into action with alarm bells
> ringing to try to fix a report without first verifying that the
> poblem actually exists.  Surely any security report undergoes
> some form of triage before being advanced to fix.

It matters only to the degree that Michael was suggesting that there
was some breakdown in communications between TDF and Apache over
security reports.  So it is relevant to know whether the security
researcher who reported the issue was actually a TDF/LO developer.

I agree that incoming reports undergo triage/verification.  In some
sense it is no different than any other defect report in that regard.
One difference is that when looking at the severity/impact of the
defect, we look at it from the perspective of someone trying to
exploit a vulnerability, not from the end-user's perspective.  So a
secruity-related defect in an obscure feature might be considered high
severity, even if a function defect in that same area would be
considered low severity.


> --
>  Rory O'Farrell <>

View raw message