[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: poof at fansubber.com (Poof)
Subject: Beta Advisories
Well, I'm personally all for announcing a beta advisory. However, when I'm
all for it is as follows:
Example. Eudora posts a PUBLIC beta on their website. Then fine, announce
the bug anywhere. However, when it's private. It should go the normal bug
ways. To the devs so they can fix it. Fine, it may take a build or two. But
it'll be fixed.
Also, I do consider gmail slightly private as it IS 'invite only'. So yes,
you should wait before reporting this. On betas the devs are usually extra
busy as they're currently having to write code everywhere. They're not just
lounging around waiting for bug reports.
~
Yes, I know this isn't written very well... However...
>
> Yes, and the OIS guidelines are thinly veiled "Oh please don't tell the
> world that we have had this bug for 6 months...we'll look bad" methods for
> being able to quash the full disclosure model and take the pressure of
> "respond to me, get it fixed, or thr world is going to know about it" off
> the vendors. Do you really think that the vendors will expend resources
> to fix things just because it is "the right thing to do"? Please tell me
> you're not that naive...please.
>
> I'm not advocating playing bombs away, sneak attacking a vendor by issuing
> a 0-day disclosure publicly. I sure as hell am saying that a vendor
> knowing the vuln will in fact be disclosed after a reasonable period of
> time, fixed or not, has certainly motivated more than a few to get the fix
> done prior to taking a public black eye.
>
> Bart Lansing
> Manager, Desktop Services
> Kohl's IT
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2342 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040706/c879bf47/smime.bin
Powered by blists - more mailing lists