Kenneth Van Wyk wrote: > So, I applaud the public disclosure model from the standpoint of > consumer advocacy. But, I'm convinced that we need to find a process > that better balances the needs of the consumer against the secure > software engineering needs. Some patches can't reasonably be produced > in the amount of time that the "vulnerability pimps" give the vendors.
>From the outside, it looks like the vast majority of the patches take as long as the vendor feels like taking. With a small percentage of vulnerabilities being released with no vendor warning at all. It's relatively unusual that I see bulletins where the researcher releases saying that the vendor took too long, so they are releasing now. But that's just going from memory, I haven't done a proper survey or anything. BB _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________