lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: kdebisschop at alert.infoplease.com (Karl DeBisschop)
Subject: Vendor v. Open-Source Response (was GUNINSKI
	THE SELF-PROMOTER)

On Sun, 2003-07-20 at 01:25, Valdis.Kletnieks@...edu wrote:
> On Sat, 19 Jul 2003 22:43:36 EDT, "mattmurphy@...rr.com" <mattmurphy@...rr.com>  said:
> > point.  You whine about two weeks to produce a patch from MS, and then you
> > wait for an open source project to patch a bug for almost a month, they
> > don't even start, and you still praise their project.  That's hypocrisy
> > Georgi, no matter what you call it.
> 
> How about we factor in the budgets ...
>
> ... There's nothing at all
> "hypocritical" in holding a large vendor to a higher standard than a private
> project - one can reasonably expect that Microsoft can find the resources to
> have a security bug looked at within 24 hours.  On  the other hand, a lot of
> open source software is maintained by just one or two people.

Actually, time to fix, IMHO, is not MS biggest failing in this arena. I
can understand that bug may be hard to fix across multiple versions of
an OS, etc.

But any vendor, large or smale, can accept a bug report, assign a
tracking number, attempt to validate the bug, and report those finding
to the original submitter.

Mozilla does it. Gnome does it. Any OS project using SourceForge or
Savannah can do it. But MS cannot?

Whether the books are opened at the time the bug is filed, or at the
time the patch is released could, again IMHO, be a vendor decision. But
it is those records, or the various open mailing lists, that provide the
basis for a user to make an educated decsion about which product they
choose to buy or use. The market is made unfair when a vendor suppresses
release of any bug it does not feel like fixing.

While I personally feel full disclosure is the best way to make a solid,
reliable product, MS does not. That's their choice, but if MS wishes to
credibly say that its limited disclosure policy works, there must be
some tracking and accounability. Until then, it looks like a somkescreen
to me.

-- 
Karl DeBisschop <kdebisschop@...rt.infoplease.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ