hmm.. i think i see a disconnect here.
not all vulnerabilities are discovered by a community that exploits
them. some are discovered internally, others are discovered by people
"close" to the lab who's personal interests are not served by exploit.
and i think your comment encapsulates issues with fair and early
disclosure:
"vulnerabilities should be fixed as soon as possible after discovery
and the discoverer should limit disclosure to those parties who can
effectively reduce the risk of exploit."
so, agreed: fixing a security bug includes sending it through the QA
process.
and: if there is a large community of persons exploiting the bug, then
the risk of disclosure to the group of 3rd party developers working on
SL projects is reduced.
but: if the bug is not being exploited, then you increase the risk of
exploit by disclosing the bug before a patch can be produced.
-cheers
-infinity
On Dec 26, 2008, at 10:31 PM, Tateru Nino wrote:
Somewhere around the time this last QA phase begins, I'm guessing is
when it is proposed that the third-parties on the disclosure list get
notified, which would have their own viewers ready around the same
time
that Linden Lab finishes its QA pass on the first-party viewer.
During all this time, exploiters will presumably be sharing
information
about the exploit with other exploiters and exploring variations of
the
exploit to see if other flaws can be .. well, exploited by similar
means.
_______________________________________________
Policies and (un)subscribe information available here:
http://wiki.secondlife.com/wiki/SLDev
Please read the policies before posting to keep unmoderated posting privileges
