Royce Williams

RE: https://chaos.social/@icing/116526903529846107

Aftermath: people, running Debian httpd 2.4.66, started complaining when they’ll get the 2.4.67 update to fix this RCE vulnerability. Which they already were protected from, but did not know. Because the CVE was not public at the time the fix was shipped.

[...]

Two security researchers found the vulnerability independently. Just scanning the 2.4.66 source code. This means the bad guys can no longer be kept in the dark. Coordinated disclosure no longer works.

#CVE_2026_23918

May 6 at 12:08pmWeb
Show threadDave Wilburn 2d ago

@tychotithonus

Eh... This isn't a particularly new issue. Doesn't even require source code, either. Bindiff is a couple decades old at this point.

Just because coordinated disclosure is hard and messy and flawed doesn't mean we should give up on the idea of protecting downstream users like the jerks behind the copy.fail disclosure did.

Show threadRoyce Williams2d ago
@DaveMWilburn Not disagreeing - I think Eissing is using "responsible" here on purpose, rather than "coordinated"