That really depends, since it was found by a reputable source the vuln was not released until a patch was available, same with the recent .htr problem with IIS, eEye waited until the patch was out before they released the details of it. (if you wanna get really picky, a cvs patch isn't as good as a patch available for download ;)
This isn't really an open source thing, it's a responsibilty thing, in both situations if it was found by a script kiddie then the response times might differ, but not by much. jeremyb. > From: Zane Gilmore <[EMAIL PROTECTED]> > Date: 2002/06/18 Tue PM 10:18:07 GMT+12:00 > To: [EMAIL PROTECTED] > Subject: Re: Apache vulnerability > > Although the patch is not a formal one I think that this shows one of the most > wonderful things about open-source software. > > No sooner has someone found a problem with the software then the fix is up > within hours for someone who might be desperate for the fix. This is > unattainable by most proprietary shops probably even M$. > > There is probably very little chance that an exploit can be written before the > fix.
