[gnutls-devel] serious bug in web site

jericho jericho at attrition.org
Fri Feb 27 18:53:24 CET 2015


http://www.gnutls.org/security.html

On 2015/02/25 a new advisory appears, SA-2015-1, that is a cut/paste copy 
of SA-2014-5 and has no CVE.

On 2015/02/27 SA-2015-1 disappears without any indication as to why, or 
explanation if it was a mistake.

So on a Wednesday you say "there is a vulnerability" in a pretty important 
library, then on Friday you say "just kidding" ... maybe. This is not 
responsible disclosure [1]1 and represents a serious flaw in your 
disclosure process.

Please be more transparent and clear with your users.

jericho
OSVDB.org

[1] Yes, 'responsible' is usually a bad term when talking 'coordinated'
     disclosure, but is very applicable to this situation.




More information about the Gnutls-devel mailing list