<!-- Paul Schmehl wrote:
On Wed, 2003-01-29 at 06:13, David Howe wrote: > That is of course your choice. Vendors in particular were prone to deny > a vunerability existed unless exploit code were published to prove it. I've read this mantra over and over again in these discussions, and a question occurs to me. Can anyone provide a *documented* case where a vendor refused to produce a patch **having been properly notified of a vulnerability** until exploit code was released? --> It is accurate. Even providing the most detailed step-by-step instructions to the vendor can yield a blank stare and a request for working demonstration. Once submitted, the vendor disappears. Thereafter you publish both the detailed step-by-step and the working demonstration because you never hear back from the vendor. Or if you do hear back, it has been determined by them "not to be an issue". Happens all the time. -- http://www.malware.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
