| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: mitch_hurrison at ziplip.com (mitch_hurrison@...lip.com) Subject: No Subject Steven M. Christey (coleymitre.org) said: >Michal Zalewski said: >>The cycle of a vulnerability from discovery to publication (or leak) >>is probably around two weeks to one month on average > >This is probably the case, based on some incomplete statistical work >that I attempted based on published disclosure timelines from the >first half of 2002. The extremes also appear frequently, whether the >issues are fixed within 15 minutes or 6 months. And yes Virginia, >sometimes even open source vendors can take more than 6 months to fix >some bugs. > >- Steve I notice this general lack of strength in your arguments when you delve into "statistics." By these lines of reasoning, the average time of disclosure of a WWII submarine was 2 days to a week on average, and the best way to find one would be to publish your shipping schedule in German newspapers. Lcamtuf, of course, knows better, but even someone entirely unconnected with the "underground" could see that the sadmind bug had been unleaked for years now, and there's no good evidence to point to to say that this is an outlier. With regards, Mitch
Powered by blists - more mailing lists