On Thu, Jul 18, 2002 at 12:46:38AM +0200, Michel Arboi wrote:
> [EMAIL PROTECTED] wrote:
> [snip]
> > We will work with vendors, if we discover vulnerabilities in other
> > products, to report and investigate the issue in a thorough and
> > timely fashion, in the same way that Symantec will work with other
> > security researchers if they find an issue with any Symantec
> > technology.
> > We observe a 30-day grace period after the notification of a
> > security advisory to give users an opportunity to apply the patch.
> > During this grace period, we provide our customers significant
> > information about the vulnerability and the fix, but not
> > step-by-step instructions for exploiting the vulnerability.
> > We do not provide detailed exploit code or provide samples of
> > malicious code except to other trusted security
> > researchers and in a secured manner.
>
> Just curious: will they consider the Nessus community as "trusted
> security researchers" or as a gang of dangerous terrorists?
It depends. How much one has to pay each year to be a "trusted security
researcher" ?
-- Renaud
