| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 13 Jun 2007 12:48:07 -0500 From: ge@...uxbox.org To: "Steven M. Christey" <coley@...us.mitre.org> Cc: bugtraq@...urityfocus.com Subject: Re: Windows Oday release On 2007-06-13 13:03-0400, Steven M. Christey wrote: >>The time line is also interesting, BTW: > >Disclosure timelines are some of the most entertaining and educational >reading in security advisories. There's now (finally) enough data for >somebody somewhere to do a quantitative study on reported timelines, >including typical vendor response times, and issues in the process. (If >someone wants to pursue this, feel free to contact me to bat ideas >around.) > >A lot of researcher timelines show a delay between the original discovery >and vendor notification. In some cases, this can be due to additional >time required to prove that the discovery is exploitable in order to give >a more reliable report to the vendor, but that's not always the case. Thomas Lim though knows what he is doing and willing to stand behind what he reports. Nowadays the vendors I am worried about are the open source ones. This is not about lost maintainers or non-existent patches, that's been done to death. Reporting vulnerabilities to distributions can be so depressing - and the replies you get (if any) are so annoying, that if it was from Microsoft, they would have been grilled in the press already for them. > >- Steve Gadi.
Powered by blists - more mailing lists