On Fri, Dec 13, 2013 at 12:15 PM, Gary Baribault <[email protected]> wrote: > Of course, all software companies would love for the disclosure to wait > for the fix to be released, and often, if the delay is considered > reasonable by the hacker in question who found the bug, then that's what > happens. I think it's only in the case where the company considers the > bug to be minor or non existent, and they are asking for a ridiculous > delay that many hackers will say, 'tough luck I'm disclosing on xx' and > he takes his chances that most of us agree with his decision. As Mikhail > said, if the hacker came across the bug without any illegal means then > he should be fine after the release (but IANAL).
To add, in cases where people do release security updates even if a fix is pending it's most of the time not to do with the time line and more to do with the fact that the entity with the problem are trying to silence the "hacker" to prevent embarrassment. At least from what I've noticed and experienced. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
