| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1FA45C2E5F2E4B46967415DA3A804FE83C38D5@mail.greenborder.com> Date: Thu May 4 06:22:20 2006 From: bill.stout at greenborder.com (Bill Stout) Subject: How many vendors knowingly ship GA product with security vulnerabilities? Hello all, Here's a question which is Full Disclosure specific. It's a given that a vendor issues a patch for a vulnerability within a few days to a couple of weeks from date of vendor notification, after which all bets are off as far as public disclosure. Well, after some period of time (from 30days to vendor requested period?). If a patch is ready in just a few days, and QA for a patch takes several weeks, it would seem the vendor already knew about the vulnerability and had a fix ready, either for next release or vulnerability discovery, which ever came first. Otherwise the fix would take weeks to test and release in order to test all compatibilities related to the bug fix, correct? So, my question is, if the vendor knew about vulnerabilities before a product was released, why wouldn't they simply delay the ship a few days in order to QA the patch for vulnerabilities they already knew about? Do vendors roll the dice on discoverability? Bill Stout -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060503/3b579a6f/attachment.html
Powered by blists - more mailing lists