Conversation
corbet

Jonathan Corbet

So the Linux Foundation and a wide range of companies have launched "Akrites" to deal with the vulnerability deluge:

https://akrites.org/letter/

I do wonder though ... "confidentiality" is at the core of this whole thing - keeping vulnerabilities secret until fixes are deployed. When you have LLMs discovering the vulnerabilities, though, they are not secret. Trying to treat them as if they were might well just slow down the process of getting fixes out and make things worse. Embargoes and confidentiality seem like an attempt to perpetuate the last decade's approaches beyond their time.
4
7
10
bluca@fosstodon.org

bluca

Reply to @corbet

@corbet in reality, once the low-hanging fruits (of which there are of course a non-negligible number) are dealt with, mere access to even frontier LLMs is just not enough. You need someone actually knowledgeable with the project in scope providing _really_ good prompts, and careful guidance, to get these things to produce actual issues. Otherwise at best you get a bunch of hardening bug fixes that have no real impact. Just assuming anybody can find anything by just asking claude is simplistic.

1
0
0
vathpela@infosec.exchange

Farce Majeure

Reply to @bluca@fosstodon.org

@bluca @corbet yeah, based on the pile of these reports I've filtered through now, the number of reports that would make sense on one project but not another and get reported anyway is very high. The signal-to-noise ratio is impressively bad.

0
0
0
penguin42@mastodon.org.uk

penguin42

Reply to @corbet

@corbet To my mind having them private for long enough for the maintainers to spot if there are any similar issues makes sense.

0
0
0
elle@weathered-steel.social

elle

Reply to @corbet

@corbet

> Embargoes and confidentiality seem like an attempt to perpetuate the last decade's approaches beyond their time.

this has been my impression, as well. like why not go in the exact opposite direction: full disclosure on discovery?

Put out the disclosure, along with at least a PoC fix patch set, as soon as possible.

Would allow upstream to have a much better position for applying the fix, even if it needs to be massaged a bit. Would also allow users to apply the patch to forks.

0
0
0
soaproot@sfba.social

soaproot

Reply to @corbet

@corbet I don't have much of an opinion about embargoes. But "This approach provides one confidential, trusted place to coordinate discovery, remediation, and disclosure" is I'm afraid giving me "there are 14 competing standards" vibes. (Arguably unfairly, but I can't resist)

0
0
0
About social.kernel.org

Terms of service

  1. Please do not use this service in violation of the Linux Kernel Code of Conduct. Doing so will result in your account suspension with the referral of the matter to the CoC committee.

  2. "Repeating"/"boosting" someone else's status on this platform will be treated as endorsement and will fall under rule #1.

  3. You are encouraged to use this platform to promote your work on the Linux Kernel, but there is no restriction on permitted topics (with the exception of anything covered by #1 above).

  4. There is no requirement to post in English, but it should be considered the primary language of communication on this platform.

Privacy notice

The admins of this service have access to all posted statuses. They aren't looking, but if it's something they shouldn't know about, then you should not post it on this platform.

Please see the Linux Foundation Privacy Policy, which applies to this platform as well.

Getting your own account

If you would like an account on this instance, please check that the following applies to you:

  • You are listed in MAINTAINERS or CREDITS

  • OR: You have a kernel.org account or email address

  • OR: You have a long and established history of involvement with the Linux Kernel

If the above is true and you agree with the Terms of Service and Privacy Notice listed above, please use these instructions to request an account: