Genders: ♾️, 🟪⬛🟩; Soni L.

It is already explained in the blog post. If you notify instance admins in advance, without revealing details about the vulnerability, the time window in which the bug can be exploited should be shortened.

25 March at 20:40 | Open on subversive.zone

theothertom

@SoniEx2 @fionafokus The reason to have some sort of timeline/coordination is that, once the fix is public the problem is (often) obvious to attackers. Saying “we will release a fix for a serious issue at this time” allows everyone who needs to patch it to be ready, so they can minimize the time they’re vulnerable.

25 March at 20:41 | Open on epsom.social

Aaron

@SoniEx2 @fionafokus The issue with just putting the patches on the internet without any coordination is that anyone reading them might be able to reconstruct an exploit to abuse the vulnerability while server administrators do not have a chance to protect themselves, i.e., because no release is available yet.
Instead, it is good practice to coordinate this process so that the time from the patches becoming public and an update being available is as short as possible.

(Edit: public visibility)

@SoniEx2 @fionafokus The issue with just putting the patches on the internet without any coordination is that anyone reading them might be able to reconstruct an exploit to abuse the vulnerability while server administrators do not have a chance to protect themselves, i.e., because no release is available yet.
Instead, it is good practice to coordinate this process so that the time from the patches becoming public and an update being available is as short as possible.

Expand text...

25 March at 20:50 | Open on chaos.social