Kenneth Van Wyk wrote:
> So, I applaud the public disclosure model from the standpoint of
> consumer advocacy. But, I'm convinced that we need to find a process
> that better balances the needs of the consumer against the secure
> software engineering needs. Some patches can't reasonably be produced
> in the amount of time that the "vulnerability pimps" give the vendors.
>From the outside, it looks like the vast majority of the patches take as
long as the vendor feels like taking. With a small percentage of
vulnerabilities being released with no vendor warning at all. It's
relatively unusual that I see bulletins where the researcher releases
saying that the vendor took too long, so they are releasing now.
But that's just going from memory, I haven't done a proper survey or
anything.
BB
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________
