Posted: Mon Jan 10, 2005 5:09 pmI don't know who posted that on slashdot, but they're twisting facts around and exaggerating certain things.
Yes I did sell vulnerability information for exec-shield and LIDS to a company at the beginning of the summer. So no, it wasn't linux kernel vulnerabilities (unless you consider exec-shield and LIDS to be part of the linux kernel), and no the company was not a "blackhat" company, it is a well known and reputable security company. Since they don't release the information to the public, there's no "commercial intelligence" or "stealing trade secrets" going on with the information.
So no, the vulnerabilities I sold are not patched, but you wouldn't be using either of those things anyway. If there is a bug in something that pertains to grsecurity (either in grsecurity or in the mainline kernel itself) we fix it within grsecurity. We don't sit on bugs we know of (since I use grsecurity myself, of course).
-Brad
Yes I did sell vulnerability information for exec-shield and LIDS to a company at the beginning of the summer. So no, it wasn't linux kernel vulnerabilities (unless you consider exec-shield and LIDS to be part of the linux kernel), and no the company was not a "blackhat" company, it is a well known and reputable security company. Since they don't release the information to the public, there's no "commercial intelligence" or "stealing trade secrets" going on with the information.
So no, the vulnerabilities I sold are not patched, but you wouldn't be using either of those things anyway. If there is a bug in something that pertains to grsecurity (either in grsecurity or in the mainline kernel itself) we fix it within grsecurity. We don't sit on bugs we know of (since I use grsecurity myself, of course).
-Brad