Language Selection

English French German Italian Portuguese Spanish

Opera on Handling Security

Filed under
Security

Recently, some of our users have asked why we chose to disclose a potential security issue only after the release of Opera 9.10. Let me try to give a short overview on how security issues get reported and disclosed - and not only at Opera, but in most applications: it might help some people to understand how this works.

When somebody discovers a vulnerability in an application, they should report it to the vendor. It can happen that the reporters give a deadline by when they want to make full disclosure of the vulnerability, but usually the reporter and the vendor work out a disclosure date that makes both happy. If the exploit is not clear, both work on details and a PoC (proof of concept). When a fix has been made and a public release is available, both the reporter and the vendor publish an advisory. The vendor usually credits the reporter in the advisory for the discovery of the vulnerability.

It is important that both parties do respect each other: if a fix is included also in development snapshot builds that reach a public audience (like the weekly builds on this blog), fixes for the vulnerability are not announced: this is a form of respect both for the reporter and for all the users that only upgrade to stable releases. Making the vulnerability public knowledge before a stable version fixes the issue would leave lots of users vulnerable. Serious reporters do not announce vulnerabilities before vendors have a fix in public builds - and vendors do not announce vulnerabilities before the reporters makes their discovery public, in order to properly credit them.

Full Story.

More in Tux Machines

Nouveau In Linux 3.20 Will Have A Lot Of Code Cleaning

While the Nouveau pull request has yet to be issued for the DRM-Next merge window that will ultimately target the Linux 3.20 kernel, a look at the changes so far appear to mostly indicate this open-source NVIDIA driver is just going through a period of code cleaning and reorganization. Read more Also: Linux kernels for a macbook pro retina

Android Leftovers

Debian 8.0 "Jessie" Installer RC1 Released

The first release candidate for the Debian Jessie Installer in leading up to the Debian 8.0 "Jessie" release. While some Debian developers were hoping to release Debian 8.0 before February, it doesn't look like that will pan out given that the first release candidate of the installer surfaced today. Read more Also: Debian 8.0 "Jessie" RC1 Is Here, Test Away

Firefox 35.0.1 Now Out – My God, It's Full of Fixes

Two weeks after the release of Firefox 35, the Mozilla devs have pushed the first update out the door and they have fixed a number of important crashes and various other problems. Read more