| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1043857403.21025.22.camel@utd49554.utdallas.edu> From: pauls at utdallas.edu (Paul Schmehl) Subject: Re: Full Disclosure != Exploit Release On Wed, 2003-01-29 at 06:13, David Howe wrote: > That is of course your choice. Vendors in particular were prone to deny > a vunerability existed unless exploit code were published to prove it. I've read this mantra over and over again in these discussions, and a question occurs to me. Can anyone provide a *documented* case where a vendor refused to produce a patch **having been properly notified of a vulnerability** until exploit code was released? Definitions: "properly notified" means that the vendor received written notification at a functional address (either email or snail mail) *and* responded (bot or human) so that the sender knows the message was received. "documented" means that there is proof both of proper notification *and* that a patch was not released in a timely manner "timely" means within two weeks of the notification "vendor" means any company that produces publicly available software - open source or commercial Caveats: You cannot use a case where exploit code was released at the same time the vulnerability announcement was made *or* within two weeks of the announcement (see "timely") I'm not saying this doesn't occur. Just that it has the smell of urban legend and justification for actions taken. -- Paul Schmehl (pauls@...allas.edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/~pauls/ AVIEN Founding Member
Powered by blists - more mailing lists