Bugtraq mailing list archives
Notifying Vendors
From: kerb () FNUSA COM (Kerb)
Date: Thu, 18 Nov 1999 15:42:21 -0600
With the bit of talk of notifying vendors in the past day or two, I thought I might throw in my $0.02 and how I do things. Notification and how long you wait for response should be dependant on usage of the software. For example, the WU-FTPD hole in 2.5.0. No exploit has been released to date, even though 2.6.0 is out. Its a widespread package that would affect a LOT of systems if the exploit was just tossed out without giving the vendors time to come up with at least a temporary fix better than "disable FTP". I believe that notification is _almost_ always necessary (except in rare cases like my Alibaba CGI bugs, because Alibaba had already demonstrated their lack of interest in security of their software). So basically what I'm trying to say is the time you wait for a response from the vendor (and/or a patch released) should depend on the severity of the hole and how widespread it will be. -Kerb-
Current thread:
- Notifying Vendors Kerb (Nov 18)
- (no subject) Anonymous (Nov 19)
- Caldera Pine Advisory Alfred Huger (Nov 22)
- Re: Caldera Pine Advisory CyberPsychotic (Nov 18)
- NetBeans/ Forte' Java IDE HTTP vulnerability Halcyon Skinner (Nov 23)