| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 Dec 2013 12:32:16 -0600 From: Jordon Bedwell <envygeeks@...il.com> To: Gary Baribault <gary@...ibault.net> Cc: Full Disclosure List <full-disclosure@...ts.grok.org.uk> Subject: Re: Where are you guys standing re: the (full) disclosure On Fri, Dec 13, 2013 at 12:15 PM, Gary Baribault <gary@...ibault.net> wrote: > Of course, all software companies would love for the disclosure to wait > for the fix to be released, and often, if the delay is considered > reasonable by the hacker in question who found the bug, then that's what > happens. I think it's only in the case where the company considers the > bug to be minor or non existent, and they are asking for a ridiculous > delay that many hackers will say, 'tough luck I'm disclosing on xx' and > he takes his chances that most of us agree with his decision. As Mikhail > said, if the hacker came across the bug without any illegal means then > he should be fine after the release (but IANAL). To add, in cases where people do release security updates even if a fix is pending it's most of the time not to do with the time line and more to do with the fact that the entity with the problem are trying to silence the "hacker" to prevent embarrassment. At least from what I've noticed and experienced. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists