| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: ib at clusterfsck.net (Isaak Bloodlore)
Subject: openssl exploit code
Quoting Florian Weimer (Weimer@...T.Uni-Stuttgart.DE):
> Bugtraq will follow the industry norms for security disclosures, like
> it does now. There are always delays, even with Bugtraq: A security
> vulnerability has to be verified, and the vendor has to be alarmed.
> Typically, the vendor gets a grace period to develop a patch. We will
> keep this standard.
So, here's the three price winning questions:
for $250,000: Was the person giving this interview talking out of his
or her behind? I.e. some misled M$-humping marketdroid?
for $500,000: What's the industry norm, Symantec's talking about?
Unless I missed something, M$ for example is _not_ the industry.
for $1,000,0000: If a poster elects to give a vendor this grace period
himself, e.g. notifies the vendor, waits the standard seven days for
responses, will Symantec publish advisories and proof-of-concept code
right away? Will there be differences between, say, Microsoft and the
Apache consortium in how long this "grace period" is?
And lastly, is Bugtraq bound to the same restrictions and regulations,
Symantec in general as a member of the Microsoft Security Suppression
Cabal is?
-- me
--
a=[8,16,20,29,78,65,2,14,26,12,12,28,71,114,12,13,12,82,72,21,17,4,10,2,95]
a.each_with_index{|x,i| $><<(x^'Begin landing your troops'[i]).chr}
Powered by blists - more mailing lists