"Are application developers, Linux vendors, and the
media playing this game when they report vulnerabilities in open
source software? I think so -- what compelled me to write this is
when I reviewed how a recent security vulnerability got reported.
It is essential that security vulnerabilities get reported
accurately so that affected users can make informed decisions, and
so we don't get caught up in spreading unnecessary fear,
uncertainty, and doubt. Since joining the security team at Red Hat,
I've found many examples across the industry in which
vulnerabilities were reported inaccurately. All vendors have made
mistakes at some time, and no vendor seems to be any better or
worse than the other. Fortunately, these mistakes do not appear to
be malicious -- just the result of a game of Chinese Whispers.
A vulnerability was found in the mutt e-mail client in December
2001, and Linux vendors quickly released new versions of their mutt
packages to fix the problem. However, in looking at the confusing
advisory details, you would have thought each vendor had actually
fixed a completely different vulnerability."
