Re: GnuPG efail - researcher discussion failure

Danny O'Brien <danny@...>

From: Tom Ritter <>
Subject: Re: [CII-badges] GnuPG efail - researcher discussion failure
Date: May 15, 2018 at 9:57:56 AM EDT
To: "Luis R. Rodriguez" <>
Cc:, Werner Koch <>,
Katitza Rodriguez <>
I think there's a discussion relating to CII here. I agree this isn't
the right place but since there's no general CII discussion list (nor
is there really enough traffic for one) - we hijack away!
Kat passed on the thread --

I won't hijack this thread any more than it has been, but EFF would be
happy to join any discussion for making this better. God knows we
learned (and re-learned) a lot in this, and I'm pushing for writing up a
public post-mortem to help others in similar situations.

Anyway, just wanted to stick my name here for those of you who don't
have a contact with us.


One of the discussions I've had in the past as it related to CII is
how Open Source projects should handle patches for vulnerabilities.
I've pointed to OpenSSL as a model for example. They are very diligent
about developing fixes and not pre-releasing them; they give
notification of the day and approximate time for patches, and these
things give enterprises (I imagine, not actually in charge of patching
enterprise-deployments of OpenSSL) a lot of comfort and capacity

This type of coordinated disclosure is another situation where the
interests of affected vendors, affected consumers, and security
researches are not necessarily at odds - but are neither in alignment.
Security Researchers want (and sometimes need to justify their
position in orgs) big press coverage. Fancy websites, demos, and
'simplified' impact statements all work to their favor. (And when I
say 'simplified' I don't mean that derogatorily: "Attack leaks
contents of PGP/S/MIME Encrypted Email" is still accurate and much
simpler than "Poor Content Handling in certain Email Clients may leak
PGP/S/MIME contents")

Proposals that push on security researchers to avoid hype; avoid
trying to make a big impact with their work are doomed to failure. All
you're going to do is push them to coordinate with you less, to the
point where a disclosure date will come and they'll release a website
and exclusive on CNN and you won't have known either was coming.
Instead, i think the way to do it is to push Security Researchers to
coordinate with you _more_.

They've got a big attack on drupal? Hell give them so you can lend it legitimacy and show you're
working with them. Work to crate a joint media message together and
provide quotes that can be used in stories about it. Instead of
silently identifying and fixing a variant of their attack you
discover; add to their paper/presentation. If it's significant enough,
you can ask to co-present/co-author. Some bugs are so simple there's
not much meat to the story, but as someone who has reviewed
submissions for security conferences, it's really rare and really
great when a researcher and the researched co-present and tell both
their sides of the story. There are a _lot_ of lessons to be learned
from those types of talks.

While all of this applies to FOSS and non-FOSS, I think (or hope) that
FOSS should be more open to it. I think (or hope) that there's less
ego in FOSS when it comes to projects and it's easier for open source
projects to say "Wow that's a really awesome find" or "That's a really
impressive chain that was built to exploit this" and congratulate and
appreciate researchers instead of seeing it as an us vs them


On 14 May 2018 at 18:35, Luis R. Rodriguez <> wrote:

As you may know there is tons of media coverage over efail:

The GnuPG team response seems to indicate that the researchers really
didn't properly engage or tune their message to avoid such hype over
such issues:

The tone should therefore have been more about tons of MUAs needing
fixing. But
everything else seems hype.

Since CII started in part as a response to Heartbleed, and the badge
program is
IMHO a success story considering the number of projects which have been
up to meet the requirements, it has me thinking that despite the badge
something is still missing here.

What could be done, from a community, or even CII perspective, to avoid
cross channel miscommunication mishaps between security researchers and
our broad
set of FOSS projects in the community?

Cc'ing two folks which I believe are not subscribed. Perhaps this is
Off topic,
but, not sure where *else* could such a topic be discussed in a

CII-badges mailing list

Join to automatically receive all group messages.