Language Selection

English French German Italian Portuguese Spanish

Opera on Handling Security

Filed under
Security

Recently, some of our users have asked why we chose to disclose a potential security issue only after the release of Opera 9.10. Let me try to give a short overview on how security issues get reported and disclosed - and not only at Opera, but in most applications: it might help some people to understand how this works.

When somebody discovers a vulnerability in an application, they should report it to the vendor. It can happen that the reporters give a deadline by when they want to make full disclosure of the vulnerability, but usually the reporter and the vendor work out a disclosure date that makes both happy. If the exploit is not clear, both work on details and a PoC (proof of concept). When a fix has been made and a public release is available, both the reporter and the vendor publish an advisory. The vendor usually credits the reporter in the advisory for the discovery of the vulnerability.

It is important that both parties do respect each other: if a fix is included also in development snapshot builds that reach a public audience (like the weekly builds on this blog), fixes for the vulnerability are not announced: this is a form of respect both for the reporter and for all the users that only upgrade to stable releases. Making the vulnerability public knowledge before a stable version fixes the issue would leave lots of users vulnerable. Serious reporters do not announce vulnerabilities before vendors have a fix in public builds - and vendors do not announce vulnerabilities before the reporters makes their discovery public, in order to properly credit them.

Full Story.

More in Tux Machines

Android/ChromeOS/Google Leftovers

Games: SC-Controller 0.4.2, Campo Santo, Last Epoch and More

Android Leftovers

Ryzen 7 2700X CPUFreq Scaling Governor Benchmarks On Ubuntu Linux

With this week's Ryzen 5 2600X + Ryzen 7 2700X benchmarks some thought the CPUFreq scaling driver or rather its governors may have been limiting the performance of these Zen+ CPUs, so I ran some additional benchmarks this weekend. Those launch-day Ryzen 5 2600X / Ryzen 7 2700X Ubuntu Linux benchmarks were using the "performance" governor, but some have alleged that the performance governor may now actually hurt AMD systems... Ondemand, of course, is the default CPUFreq governor on Ubuntu and most other Linux distributions. Some also have said the "schedutil" governor that makes use of the kernel's scheduler utilization data may do better on AMD. So I ran some extra benchmarks while changing between CPUFreq's ondemand (default), performance (normally the best for performance, and what was used in our CPU tests), schedutil (the newest option), and powersave (if you really just care about conserving power). Read more