lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <KJLVEKKNDYMJL2FSKOGNPTOLJYKBB0IHAJIDNTIO@ziplip.com>
From: mitch_hurrison at ziplip.com (mitch_hurrison@...lip.com)
Subject: No Subject

Steven M. Christey (coleymitre.org) said:
>Michal Zalewski said:
>>The cycle of a vulnerability from discovery to publication (or leak)
>>is probably around two weeks to one month on average
>
>This is probably the case, based on some incomplete statistical work
>that I attempted based on published disclosure timelines from the
>first half of 2002. The extremes also appear frequently, whether the
>issues are fixed within 15 minutes or 6 months. And yes Virginia,
>sometimes even open source vendors can take more than 6 months to fix
>some bugs.
>
>- Steve


I notice this general lack of strength in your arguments when you
delve into "statistics." By these lines of reasoning, the average
time of disclosure of a WWII submarine was 2 days to a week on average,
and the best way to find one would be to publish your shipping schedule
in German newspapers.

Lcamtuf, of course, knows better, but even someone entirely unconnected
with the "underground" could see that the sadmind bug had been unleaked
for years now, and there's no good evidence to point to to say that this
is an outlier.

With regards,
Mitch



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ