| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <52AB582D.6020707@baribault.net>
Date: Fri, 13 Dec 2013 13:55:41 -0500
From: Gary Baribault <gary@...ibault.net>
To: Jordon Bedwell <envygeeks@...il.com>
Cc: Full Disclosure List <full-disclosure@...ts.grok.org.uk>
Subject: Re: Where are you guys standing re: the (full)
disclosure
When you say 'security updates' I assume you mean publish the bug, and I
think you're right, as I just stated in the other mail, if the company
is dragging it's feet, threatening legal action (bluffing) or just
leading the hacker on, then to heck with them, let them know when you're
publishing and the publish! Maybe they'll learn, maybe not, maybe the
next hacker will be better treated, probably not.
Gary B
On 12/13/2013 01:32 PM, Jordon Bedwell wrote:
> On Fri, Dec 13, 2013 at 12:15 PM, Gary Baribault <gary@...ibault.net> wrote:
>> Of course, all software companies would love for the disclosure to wait
snip
>> he should be fine after the release (but IANAL).
>
> To add, in cases where people do release security updates even if a
> fix is pending it's most of the time not to do with the time line and
> more to do with the fact that the entity with the problem are trying
> to silence the "hacker" to prevent embarrassment. At least from what
> I've noticed and experienced.
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists