OpenSSL's "notification of an upcoming critical release" is public, not private.... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		cjbprime on March 29, 2024 \| parent \| context \| favorite \| on: Backdoor in upstream xz/liblzma leading to SSH ser... OpenSSL's "notification of an upcoming critical release" is public, not private. You do get to know that the vulnerability exists quickly, and you could choose to stop using OpenSSL altogether (among other mitigations) once that email goes out.

sidewndr46 on March 30, 2024 [–]

if your system has already been compromised at the root level, it does not matter in the least bit

Thorrez on March 30, 2024 | [–]

Well if you assume everyone has already been exploited, disclosing quickly vs slowly won't prevent that.

Also, if something is being actively exploited, usually there's no or very little embargo.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact