2018.04.09 07:29 "[Tiff] fuzzing libtiff with google's oss-fuzz", by Paul Kehrer

2018.04.09 14:52 "Re: [Tiff] fuzzing libtiff with google's oss-fuzz", by Bob Friesenhahn

I somehow understand your position on it, but you are probably assigning you more responsability than you should. On our volunteer time, we have no moral or whatsoever obligations regarding anyone to fix any issues. For that reason, I'm less and less willing to treat with privately reported issues.

I am not feeling any particular responsibility at the moment. :-)

I am only warning the "community" and those on receiving end of oss-fuzz emails what to expect.

If libtiff utilities are engaged in oss-fuzz testing then many reports can be expected, especially if UBSAN is enabled. This is going to result in a lot of work for some people.

I don't think it really matters if bugs are not fixed in the 90 day delay. If they matter to people, they will look at the public issues and try to fix them and issue pull requests. Or fund people to fix them.

This seems reasonable. The black-hats surely have substantial computing resources available to them and they likely already know many exploits.

Bob
--
Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/