Kenneth Van Wyk wrote:
> So, I applaud the public disclosure model from the standpoint of
> consumer advocacy.  But, I'm convinced that we need to find a process
> that better balances the needs of the consumer against the secure
> software engineering needs.  Some patches can't reasonably be produced
> in the amount of time that the "vulnerability pimps" give the vendors.

>From the outside, it looks like the vast majority of the patches take as
long as the vendor feels like taking. With a small percentage of
vulnerabilities being released with no vendor warning at all. It's
relatively unusual that I see bulletins where the researcher releases
saying that the vendor took too long, so they are releasing now.

But that's just going from memory, I haven't done a proper survey or

Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -
SC-L is hosted and moderated by KRvW Associates, LLC (
as a free, non-commercial service to the software security community.

Reply via email to