Re: Public disclosure of discovered vulnerabilities
From: Bryan Olson (fakeaddress_at_nowhere.org)
Date: 05/18/05
- Next message: agg_agasi_at_hotmail.com: "WTC_ATTA_96875"
- Previous message: David Wagner: "Re: Attacks on IPsec"
- In reply to: Stephen Sprunk: "Re: Public disclosure of discovered vulnerabilities"
- Next in thread: Colin Andrew Percival: "Re: Public disclosure of discovered vulnerabilities"
- Reply: Colin Andrew Percival: "Re: Public disclosure of discovered vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 18 May 2005 03:27:21 GMT
Stephen Sprunk wrote:
[...]
> In contrast, one vendor I worked with would fix security bugs and ship
> patches (without telling customers what they fixed) as quickly as
> possible but request that the person discovering it withhold public
> release until (a) an exploit was seen in the wild or (b) six months
> elapsed. The latter almost always held and so by the time they
> announced the vulnerability, nearly all of their customers were already
> running patched software. This is about the best response I can
> imagine.
Seen better:
http://www.mozilla.org/security/bug-bounty.html
-- --Bryan
- Next message: agg_agasi_at_hotmail.com: "WTC_ATTA_96875"
- Previous message: David Wagner: "Re: Attacks on IPsec"
- In reply to: Stephen Sprunk: "Re: Public disclosure of discovered vulnerabilities"
- Next in thread: Colin Andrew Percival: "Re: Public disclosure of discovered vulnerabilities"
- Reply: Colin Andrew Percival: "Re: Public disclosure of discovered vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
