Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [8lgm]-Advisory-14.UNIX.SCO-prwarn.12-Nov-1994

From: grue () engin umich edu (Paul Howell)
Date: Mon, 28 Nov 1994 11:55:26 -0600 (CST)

Gene Spafford writes:

[...deleted...]
I'm also not trying to reopen the debate about full vs. partial vs. no
disclosure.  I'd like to see some hard evidence for things, though,
and *not* debate.  Even my experience has been anecdotal (but I
believe that it is more representative of the true user community than
these lists are).  Statements to the effect that "policy X produces
patches faster than policy Y" should be backed up by testable data.
Otherwise, they fall in the category of faith healing, diet aids, and
sightings of Elvis -- the observer may believe it is true, but there
is no controlled way to demonstrate it to skeptical observers in a
general setting.


Stating the obvious here, but we seem to be in the experiment now.

With 8lgm in the past, going with full disclosure.  One needs
to recall how quickly sun/ibm came up with patches for published
holes.

Start the clock, then compare and contrast with how quickly the 
latest flaws are fixed.

< Paul
Previous By Date Next
Previous By Thread Next

Current thread: