Is this true:

Discuss and suggest new grsecurity features

Postby spender » Mon Jan 10, 2005 5:09 pm

I don't know who posted that on slashdot, but they're twisting facts around and exaggerating certain things.

Yes I did sell vulnerability information for exec-shield and LIDS to a company at the beginning of the summer. So no, it wasn't linux kernel vulnerabilities (unless you consider exec-shield and LIDS to be part of the linux kernel), and no the company was not a "blackhat" company, it is a well known and reputable security company. Since they don't release the information to the public, there's no "commercial intelligence" or "stealing trade secrets" going on with the information.

So no, the vulnerabilities I sold are not patched, but you wouldn't be using either of those things anyway. If there is a bug in something that pertains to grsecurity (either in grsecurity or in the mainline kernel itself) we fix it within grsecurity. We don't sit on bugs we know of (since I use grsecurity myself, of course).

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby spender » Mon Jan 10, 2005 5:15 pm

Also, until a proper kernel security officer is set up that we can communicate with privately and securely (vendor-sec is neither of these things), our official stance with regards to reporting vulnerabilities will be that we will not report any vulnerabilities but will fix them within grsecurity.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity development

cron