| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 22 Nov 2006 10:57:27 -0000 From: "David Litchfield" <davidl@...software.com> To: "Matthew Conover" <matthew_conover@...antec.com>, <bugtraq@...urityfocus.com>, <dbsec@...elists.org> Subject: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?) Hi Matt, >Given that NGS Software participated in Microsoft's Security Development >Lifecycle [1] and your paper is already being referenced by Microsoft >employees [2], the following question should be addressed to ensure the >comparison is fair: >Did NGS Software find any bugs in a version of SQL Server mentioned in >the paper (7, 2005, and 2005) during a private security audit which were >disclosed to Microsoft and fixed without being mentioned in a Microsoft >security bulletin? No. Additionally, if I was to find a bug in released code today Microsoft would fix it as usual and a public announcement would be made. It is imperative for both Microsoft and NGSSoftware that NGSSoftware is seen to be independent and not "in the pocket" of Microsoft. Since working with Microsoft we have been publicly credited in many Microsoft Bulletins - here's the list for 2006 alone: http://www.microsoft.com/technet/security/bulletin/ms06-nov.mspx http://www.microsoft.com/technet/security/bulletin/ms06-aug.mspx http://www.microsoft.com/technet/security/bulletin/ms06-jun.mspx http://www.microsoft.com/technet/security/bulletin/ms06-mar.mspx http://www.microsoft.com/technet/security/bulletin/ms06-jan.mspx The bottom line is that Oracle really is just more buggy. Cheers, David
Powered by blists - more mailing lists