| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200504130444.j3D4ihN6014521@turing-police.cc.vt.edu> Date: Wed Apr 13 05:45:04 2005 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu) Subject: How to Report a Security VulnerabilitytoMicrosoft On Tue, 12 Apr 2005 17:21:20 EDT, mcbain@....com said: > I personally have only been effected once _severely_ after patch Tuesday. You've been lucky, then.. ;) > But think about it, the testing scenarios that exist on planet earth can > not possibly be even accounted for let alone tested in Redmond. Insufficient testing for breaking end-user configurations is an entirely different issue. Your claim was that "they find the root of the problem", and that doing this adds time to get the patch out the door. My point is that if they in fact were doing that, we'd not see so many "It still works if you put a \ in front of the semicolon" type reports - an indication that the released patch is not in fact fixing the basic problem. (To be fair to Microsoft - sometimes the "basic problem" is a basic conceptual design flaw that can't be fixed in a clean compatible way, and you end up just papering over the known holes and pushing a "real" fix off to "the next release") -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050413/ab1e6037/attachment.bin
Powered by blists - more mailing lists