lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 6 Jul 2012 13:24:44 -0400
From: Peter Dawson <slash.pd@...il.com>
To: "Thor (Hammer of God)" <thor@...merofgod.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: How much time is appropriate for fixing a bug?

Thor (Hammer of God) : <If and when they fix it is up to them.>

so if vendor don't fix it /ack the bug.. then what ??
Responsibility works both ways.. Advise the vendor.. if they say fuck it..
I say fuck u.. and will advise the community !

There is a responsibility to disclose a venerability to the community so
that they can take down/block /deactivate a service .

".All that is necessary for the triumph of evil is that good men do
nothing. " -whoever ..fuck it !

/pd


On Fri, Jul 6, 2012 at 12:46 PM, Thor (Hammer of God)
<thor@...merofgod.com>wrote:

>  Well, I have to say, at least he's being honest.  If the guy is chomping
> at the bit to release the info so he can get some attention, then let him.
>  That, of course, is what it is all about.   He's not releasing the info so
> that the community can be "safe" by "forcing" the vendor to fix it.  He's
> doing it so people can see how smart he is and that he found some bug.   So
> Joro's reply of "fuck em" is actually refreshingly honest.
>
> Regarding "how long does it take," it is completely impossible to tell.
>  If someone fixed it in 10 minutes, good for them.  It could take someone
> else 10 months.   Any time I see things like Wikipedia advising things like
> "5 months" I have to lol.  They have no freaking idea whatsoever as to the
> company's dev processes and the extend that the fix could impact legacy
> code or any number of other factors.   I would actually have expected code
> bug-finders to have a better clue about these things, but apparently they
> don't.
>
> MSFT's process is nuts – they have SO many dependancies, so many different
> products with shared code, so many legacy products, so many vendors with
> drivers and all manner of other stuff that the process is actually quite
> difficult and time consuming.  Oracle is worse – they have the same but
> multiplied by x platforms.  Apple I think has it the "easiest" of the big
> ones, but even OSX is massively complex (and completely awesome).
>
> It is all about intent:  if you want to be recognized publicly for some
> fame or whatever, just FD it because chances are you will anyway.   If you
> really care about the security of the industry, then submit it and be done
> with it.  If and when they fix it is up to them.
>
> t
>
>
>
> From: Gary Baribault <gary@...ibault.net>
> Date: Friday, July 6, 2012 7:59 AM
> To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk
> >
> Subject: Re: [Full-disclosure] How much time is appropriate for fixing a
> bug?
>
>  Hey Georgi,
>
>     Didn't take your happy pill this morning?
>
>     I would say that the answer depends on how the owner/company answers
> you, if you feel that their stringing you along and you have given them
> some time, then warn them that your publishing, give them 24 hours and then
> go for it. Obviously it depends on the bug and the software, I major bug in
> a large program will take longer, and so long as they are talking to you,
> and you don't miss your morning happy pill, you can wait, a small bug in a
> small program shouldn't take as long. There is no one answer to your
> question, if you are having an interactive discussion with them, then be
> patient, otherwise, Georgi's answer is a good one if they are ignoring you
> or stringing you along.
>
>
> Gary B
>
> On 07/06/2012 10:33 AM, Georgi Guninski wrote:
> > On Wed, Jul 04, 2012 at 10:49:18PM +0200, Jann Horn wrote:
> >> After having reported a security-relevant bug about a smartphone, how
> long would
> >> you wait for the vendor to fix it? What are typical times?
> >>
> >> I remember telling someone about a security-relevant bug in his library
> some time
> >> ago - he fixed it and published the fixed version within ten minutes.
> On the
> >> other hand, I often see mails on bugtraq or so in which the given dates
> show that
> >> the vendor took maybe a year or so to fix the issue...
> >
> >
> >
> >
> > when i was young i asked a similar question.
> >
> > if you ask me now, the short answer is "fuck them, if you are
> > killing a bug the time is completely up to you."
> > responsible disclosure is just a buzzword (the RFC on
> > it failed).
> >
> > you have bugs, they don't have.
> >
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ