| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: guninski at guninski.com (Georgi Guninski) Subject: Re: Full Disclosure != Exploit Release Paul Schmehl wrote: > On Wed, 2003-01-29 at 06:13, David Howe wrote: > > >>That is of course your choice. Vendors in particular were prone to deny >>a vunerability existed unless exploit code were published to prove it. > > > I've read this mantra over and over again in these discussions, and a > question occurs to me. Can anyone provide a *documented* case where a > vendor refused to produce a patch **having been properly notified of a > vulnerability** until exploit code was released? > > Definitions: > > "properly notified" means that the vendor received written notification > at a functional address (either email or snail mail) *and* responded > (bot or human) so that the sender knows the message was received. > > "documented" means that there is proof both of proper notification *and* > that a patch was not released in a timely manner > > "timely" means within two weeks of the notification > IIRC micro$oft never fixed any of my reports in "timely" manner according to your definitions. Somewhere on www.guninski.com you may see they didn't fix a reproducible exploit in a lot of months. Another recent example is the "shatter" exploit, which was first denied to be a bug. Georgi Guninski http://www.guninski.com
Powered by blists - more mailing lists