[SC-L] Disclosure: vulnerability pimps? or super heroes?
Blue Boar
BlueBoar at thievco.com
Tue Mar 6 10:26:00 EST 2007
Kenneth Van Wyk wrote:
> So, I applaud the public disclosure model from the standpoint of
> consumer advocacy. But, I'm convinced that we need to find a process
> that better balances the needs of the consumer against the secure
> software engineering needs. Some patches can't reasonably be produced
> in the amount of time that the "vulnerability pimps" give the vendors.
>From the outside, it looks like the vast majority of the patches take as
long as the vendor feels like taking. With a small percentage of
vulnerabilities being released with no vendor warning at all. It's
relatively unusual that I see bulletins where the researcher releases
saying that the vendor took too long, so they are releasing now.
But that's just going from memory, I haven't done a proper survey or
anything.
BB
More information about the SC-L
mailing list