On Wed, Dec 15, 2010 at 3:36 PM, Damien Miller <d...@mindrot.org> wrote: > On Wed, 15 Dec 2010, patrick keshishian wrote: > >> It is easy to shoot one's mouth off like that about bounty offered, >> given the ridiculously constrained "conditions" the bounty is offered >> under. He might as well offered a million USD. No one will be able to >> prove this under these restrictions. > > His conditions aren't "ridiculously constrained", they seem to be pretty > much approproiate for the allegations.
The requirement that the bug still be exploitable in the current code is a little much. A hidden side channel might possibly be quite fragile and easily disarmed by accident without fixing the underlying flaw, but that wouldn't invalidate the allegation. That part did read a lot like hedging the bet. An exploit like this that only worked pre-4.4 (to pick a random older release for example) would still be very valuable.
