Re: MS Not Trust is't PSS/Gold Partners with Early Security/Vuln.

From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 02/10/05 

Date: Wed, 9 Feb 2005 23:09:37 -0500

While I would love to have more details about vulnerabilities, and have made
this same request as the OP myself, I have to be honest and admit that
having this advanced info would not make me any safer or my life any easier.

I think it is the right decision for MS to withhold details until the patch
comes out. While I think I am trustworthy, I think there are so many people
on the PSS / Gold partners list, including some people who probably aren't
trustworthy, the information would no doubt leak out. All you need to
become a PSS / Gold partner is a contract and some money, or just work for
someone who does.

It would be a major snafu if, theoretically, this ever led to a zero day
vuln being released with no patch out yet. Also, if MS ever found out at
the last minute that a pre-announced patch caused problems on some systems
and had to be re-engineered, re-tested and the release postponed, that would
be spun as a big failure in the media. You and I are hurt when MS feels
pressured to release a patch prematurely due to misinformation in the media.

I feel much safer when the MS vulnerability I"m reading about has a patch to
go with it. Unfortunately, the only way for this to happen is to be happy
with the level of advanced information we're getting now. I think MS has
done a lot this year and last to make the patching experience better than
ever - everyone is getting at least some advanced information that
previously was only available to support partners, patches are coming out
mostly just once a month, and other vendors like Oracle are copying this
kind of schedule.

"PA Bear" <PABearMVP@gmail.com> wrote in message
news:uK1bikxDFHA.3368@TK2MSFTNGP10.phx.gbl...
> Thank you, Steve and Alun, for jumping in here.
> --
> ~Robear Dyer (PA Bear)
> MS MVP-Windows (Shell, IE/OE) & Security

Relevant Pages