When you first see this: “Linux Kernel ‘sock_sendpage()’ NULL Pointer Dereference Vulnerability” in an email or twitter it does not mean much at first glance.
When you realise this is a kernel issue if you are a Linux systems administrator you will start scanning, thinking and then you read some more and realise this is serious. Then after 10 minutes the ramifications hit home depending on the systems you maintain and responsibility level on a scale between 1 (a single NetBook running UNR) and 10, plus some off the scale, some may know what I mean.
My sentiments towards the Google security team are ambivalent. They were doing a job and did it well. I feel that the Open Source universe (and propriety) does not have a satisfactory model for announcing and fixing serious security vulnerabilities. The impact on users, businesses, code maintainers, managers all the way through the various components of the producer to consumer can be heavy and I believe the process of announcement to fix could be much much better.
The Google security team announcement (Actually the news was leaked) on the 13th September will have had a negative impact on Open Source communities, like any accident does, but it seems that lessons ought to be learnt.
A simple model could be:
1) Security vulnerability found.
2) Developer(s) contacted privately before announcement is made public.
3) Developer fix privately forwarded to major vendors.
4) Major vendors generate patch and make it available.
5) Public announcement is made.
This point will have been made time and again, could or should a protocol be made law? If a vulnerability has taken a team of top security experts to discover then the likelihood of an individual or organisation finding the same vulnerability in the same amount of time must be slight in general.
I find it difficult to see the benefits of making a vulnerability public before contacting the developer at least. Should a large multi-national like Google be allowed to uncover an error then tell the whole world when it feels like it? Is that ethical? Could it be seen as an act of aggression? (see comment below) (again, as reported above, the news was leaked).
From now on I’m going to make a point of reading more about this process and following moves to change the current vulnerability discovery announce protocol.
Damian Brasher