Shachar Shemesh <[EMAIL PROTECTED]> writes: > Also, if we want greater flexibility in handling these cases in the future, we > should set up an invite-only list for reporting security bugs, and advertise it > on the web site as the place to report security issues. Had this vulnerability > been reported there, we could reasonably hold on without releasing a fix until > 7.4.3 was ready.
A lot of people would be unhappy with that approach. A) they don't know the people on the invite-only list and have no basis to trust them and B) Often when a white hat reports the problem the black hats have known about it for much longer already. -- greg ---------------------------(end of broadcast)--------------------------- TIP 4: Don't 'kill -9' the postmaster
