| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 06 Jul 2012 13:49:50 -0400
From: Laurelai <laurelai@...echan.org>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: How much time is appropriate for fixing a bug?
On 7/6/12 1:48 PM, Thor (Hammer of God) wrote:
> I already covered that -- if they don't fix it, the publish it.
> Also, if a vendor has a "venerability" to the community, then they
> would obviously fix it.
>
> There's no "responsibility" to disclose anything. FD doesn't exist
> to satisfy some requirement for researchers to publish vulnerability
> -- it exists so that people can market themselves. The "we must
> disclose this so that people will know and they can protect
> themselves" is simply a justification for the aforementioned. These
> people don't give a fat fuck about the industry or protecting other
> people. If they did, they would just post "hey, there's a vuln in
> this product, email me and I'll tell you about it." When no-one
> emails them (because this limited audience doesn't care) they don't
> get their "deserved cred" and post it.
>
> Nobody cares, and nobody remembers... his FD will simply be another
> tit in the peep show. People like 0DayInit and Litchfield did it the
> SMART way. They have a client base who have purchased a product to
> protect them from these vulnerabilities. People who purchase the
> product are protected in the meantime, as the vuln is actually
> addressed in the product. It actually works in their favor of the
> vendor to take longer as it makes the product more valuable.
>
>
> Vendors want "responsible disclosure" so they can assign priority to
> plan release cadence. Disclosures want recognition, or payment, or
> both. Each will do what is in their own best interest. But let's
> not pretend it is anything other than what it is.
>
> t
>
>
>
> From: Peter Dawson <slash.pd@...il.com <mailto:slash.pd@...il.com>>
> Date: Friday, July 6, 2012 10:24 AM
> To: Timothy Mullen <thor@...merofgod.com <mailto:thor@...merofgod.com>>
> Cc: "full-disclosure@...ts.grok.org.uk
> <mailto:full-disclosure@...ts.grok.org.uk>"
> <full-disclosure@...ts.grok.org.uk
> <mailto:full-disclosure@...ts.grok.org.uk>>
> Subject: Re: [Full-disclosure] How much time is appropriate for fixing
> a bug?
>
> Thor (Hammer of God) : <If and when they fix it is up to them.>
>
> so if vendor don't fix it /ack the bug.. then what ??
> Responsibility works both ways.. Advise the vendor.. if they say fuck
> it.. I say fuck u.. and will advise the community !
>
> There is a responsibility to disclose a venerability to the community
> so that they can take down/block /deactivate a service .
>
> ".All that is necessary for the triumph of evil is that good men do
> nothing. " -whoever ..fuck it !
>
> /pd
>
>
> On Fri, Jul 6, 2012 at 12:46 PM, Thor (Hammer of God)
> <thor@...merofgod.com <mailto:thor@...merofgod.com>> wrote:
>
> Well, I have to say, at least he's being honest. If the guy is
> chomping at the bit to release the info so he can get some
> attention, then let him. That, of course, is what it is all
> about. He's not releasing the info so that the community can be
> "safe" by "forcing" the vendor to fix it. He's doing it so people
> can see how smart he is and that he found some bug. So Joro's
> reply of "fuck em" is actually refreshingly honest.
>
> Regarding "how long does it take," it is completely impossible to
> tell. If someone fixed it in 10 minutes, good for them. It could
> take someone else 10 months. Any time I see things like
> Wikipedia advising things like "5 months" I have to lol. They
> have no freaking idea whatsoever as to the company's dev processes
> and the extend that the fix could impact legacy code or any number
> of other factors. I would actually have expected code
> bug-finders to have a better clue about these things, but
> apparently they don't.
>
> MSFT's process is nuts -- they have SO many dependancies, so many
> different products with shared code, so many legacy products, so
> many vendors with drivers and all manner of other stuff that the
> process is actually quite difficult and time consuming. Oracle is
> worse -- they have the same but multiplied by x platforms. Apple
> I think has it the "easiest" of the big ones, but even OSX is
> massively complex (and completely awesome).
>
> It is all about intent: if you want to be recognized publicly for
> some fame or whatever, just FD it because chances are you will
> anyway. If you really care about the security of the industry,
> then submit it and be done with it. If and when they fix it is up
> to them.
>
> t
>
>
>
> From: Gary Baribault <gary@...ibault.net <mailto:gary@...ibault.net>>
> Date: Friday, July 6, 2012 7:59 AM
> To: "full-disclosure@...ts.grok.org.uk
> <mailto:full-disclosure@...ts.grok.org.uk>"
> <full-disclosure@...ts.grok.org.uk
> <mailto:full-disclosure@...ts.grok.org.uk>>
> Subject: Re: [Full-disclosure] How much time is appropriate for
> fixing a bug?
>
> Hey Georgi,
>
> Didn't take your happy pill this morning?
>
> I would say that the answer depends on how the owner/company
> answers you, if you feel that their stringing you along and you
> have given them some time, then warn them that your publishing,
> give them 24 hours and then go for it. Obviously it depends on the
> bug and the software, I major bug in a large program will take
> longer, and so long as they are talking to you, and you don't miss
> your morning happy pill, you can wait, a small bug in a small
> program shouldn't take as long. There is no one answer to your
> question, if you are having an interactive discussion with them,
> then be patient, otherwise, Georgi's answer is a good one if they
> are ignoring you or stringing you along.
>
>
> Gary B
>
> On 07/06/2012 10:33 AM, Georgi Guninski wrote:
> > On Wed, Jul 04, 2012 at 10:49:18PM +0200, Jann Horn wrote:
> >> After having reported a security-relevant bug about a
> smartphone, how long would
> >> you wait for the vendor to fix it? What are typical times?
> >>
> >> I remember telling someone about a security-relevant bug in his
> library some time
> >> ago - he fixed it and published the fixed version within ten
> minutes. On the
> >> other hand, I often see mails on bugtraq or so in which the
> given dates show that
> >> the vendor took maybe a year or so to fix the issue...
> >
> >
> >
> >
> > when i was young i asked a similar question.
> >
> > if you ask me now, the short answer is "fuck them, if you are
> > killing a bug the time is completely up to you."
> > responsible disclosure is just a buzzword (the RFC on
> > it failed).
> >
> > you have bugs, they don't have.
> >
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> <http://lists.grok.org.uk/full-disclosure-charter.html>
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
I find you honesty refreshing.
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists