lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20070613174807.GF666@linuxbox.org>
Date: Wed, 13 Jun 2007 12:48:07 -0500
From: ge@...uxbox.org
To: "Steven M. Christey" <coley@...us.mitre.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: Windows Oday release

On 2007-06-13 13:03-0400, Steven M. Christey wrote:

>>The time line is also interesting, BTW:
>
>Disclosure timelines are some of the most entertaining and educational
>reading in security advisories.  There's now (finally) enough data for
>somebody somewhere to do a quantitative study on reported timelines,
>including typical vendor response times, and issues in the process.  (If
>someone wants to pursue this, feel free to contact me to bat ideas
>around.)
>
>A lot of researcher timelines show a delay between the original discovery
>and vendor notification.  In some cases, this can be due to additional
>time required to prove that the discovery is exploitable in order to give
>a more reliable report to the vendor, but that's not always the case.

Thomas Lim though knows what he is doing and willing to stand behind
what he reports. Nowadays the vendors I am worried about are the open
source ones.

This is not about lost maintainers or non-existent patches, that's been
done to death. Reporting vulnerabilities to distributions can be so
depressing - and the replies you get (if any) are so annoying, that if
it was from Microsoft, they would have been grilled in the press already
for them.

>
>- Steve

	Gadi.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ