Hello all,
Here’s a question which is Full Disclosure specific.
It’s a given that a vendor issues a patch for a vulnerability within a few days to a couple of weeks from date of vendor notification, after which all bets are off as far as public disclosure. Well, after some period of time (from 30days to vendor requested period?).
If a patch is ready in just a few days, and QA for a patch takes several weeks, it would seem the vendor already knew about the vulnerability and had a fix ready, either for next release or vulnerability discovery, which ever came first. Otherwise the fix would take weeks to test and release in order to test all compatibilities related to the bug fix, correct?
So, my question is, if the vendor knew about vulnerabilities before a product was released, why wouldn’t they simply delay the ship a few days in order to QA the patch for vulnerabilities they already knew about?
Do vendors roll the dice on discoverability?
Bill Stout
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
