Thor (Hammer of God) : <If and when they fix it is up to them.> so if vendor don't fix it /ack the bug.. then what ?? Responsibility works both ways.. Advise the vendor.. if they say fuck it.. I say fuck u.. and will advise the community !
There is a responsibility to disclose a venerability to the community so that they can take down/block /deactivate a service . ".All that is necessary for the triumph of evil is that good men do nothing. " -whoever ..fuck it ! /pd On Fri, Jul 6, 2012 at 12:46 PM, Thor (Hammer of God) <[email protected]>wrote: > Well, I have to say, at least he's being honest. If the guy is chomping > at the bit to release the info so he can get some attention, then let him. > That, of course, is what it is all about. He's not releasing the info so > that the community can be "safe" by "forcing" the vendor to fix it. He's > doing it so people can see how smart he is and that he found some bug. So > Joro's reply of "fuck em" is actually refreshingly honest. > > Regarding "how long does it take," it is completely impossible to tell. > If someone fixed it in 10 minutes, good for them. It could take someone > else 10 months. Any time I see things like Wikipedia advising things like > "5 months" I have to lol. They have no freaking idea whatsoever as to the > company's dev processes and the extend that the fix could impact legacy > code or any number of other factors. I would actually have expected code > bug-finders to have a better clue about these things, but apparently they > don't. > > MSFT's process is nuts – they have SO many dependancies, so many different > products with shared code, so many legacy products, so many vendors with > drivers and all manner of other stuff that the process is actually quite > difficult and time consuming. Oracle is worse – they have the same but > multiplied by x platforms. Apple I think has it the "easiest" of the big > ones, but even OSX is massively complex (and completely awesome). > > It is all about intent: if you want to be recognized publicly for some > fame or whatever, just FD it because chances are you will anyway. If you > really care about the security of the industry, then submit it and be done > with it. If and when they fix it is up to them. > > t > > > > From: Gary Baribault <[email protected]> > Date: Friday, July 6, 2012 7:59 AM > To: "[email protected]" <[email protected] > > > Subject: Re: [Full-disclosure] How much time is appropriate for fixing a > bug? > > Hey Georgi, > > Didn't take your happy pill this morning? > > I would say that the answer depends on how the owner/company answers > you, if you feel that their stringing you along and you have given them > some time, then warn them that your publishing, give them 24 hours and then > go for it. Obviously it depends on the bug and the software, I major bug in > a large program will take longer, and so long as they are talking to you, > and you don't miss your morning happy pill, you can wait, a small bug in a > small program shouldn't take as long. There is no one answer to your > question, if you are having an interactive discussion with them, then be > patient, otherwise, Georgi's answer is a good one if they are ignoring you > or stringing you along. > > > Gary B > > On 07/06/2012 10:33 AM, Georgi Guninski wrote: > > On Wed, Jul 04, 2012 at 10:49:18PM +0200, Jann Horn wrote: > >> After having reported a security-relevant bug about a smartphone, how > long would > >> you wait for the vendor to fix it? What are typical times? > >> > >> I remember telling someone about a security-relevant bug in his library > some time > >> ago - he fixed it and published the fixed version within ten minutes. > On the > >> other hand, I often see mails on bugtraq or so in which the given dates > show that > >> the vendor took maybe a year or so to fix the issue... > > > > > > > > > > when i was young i asked a similar question. > > > > if you ask me now, the short answer is "fuck them, if you are > > killing a bug the time is completely up to you." > > responsible disclosure is just a buzzword (the RFC on > > it failed). > > > > you have bugs, they don't have. > > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
