Bugtraq mailing list archives
Re: Windows Oday release
From: ge () linuxbox org
Date: Wed, 13 Jun 2007 12:48:07 -0500
On 2007-06-13 13:03-0400, Steven M. Christey wrote:
The time line is also interesting, BTW:Disclosure timelines are some of the most entertaining and educational reading in security advisories. There's now (finally) enough data for somebody somewhere to do a quantitative study on reported timelines, including typical vendor response times, and issues in the process. (If someone wants to pursue this, feel free to contact me to bat ideas around.) A lot of researcher timelines show a delay between the original discovery and vendor notification. In some cases, this can be due to additional time required to prove that the discovery is exploitable in order to give a more reliable report to the vendor, but that's not always the case.
Thomas Lim though knows what he is doing and willing to stand behind what he reports. Nowadays the vendors I am worried about are the open source ones. This is not about lost maintainers or non-existent patches, that's been done to death. Reporting vulnerabilities to distributions can be so depressing - and the replies you get (if any) are so annoying, that if it was from Microsoft, they would have been grilled in the press already for them.
- Steve
Gadi.
Current thread:
- Windows Oday release Thomas Lim (Jun 12)
- Re: Windows Oday release ge (Jun 12)
- Re: Windows Oday release Joanna Rutkowska (Jun 13)
- Re: [Full-disclosure] Windows Oday release Jared DeMott (Jun 14)
- Re: Windows Oday release Joanna Rutkowska (Jun 13)
- <Possible follow-ups>
- Re: Windows Oday release Steven M. Christey (Jun 13)
- Re: Windows Oday release ge (Jun 14)
- Re: Windows Oday release Hugo van der Kooij (Jun 19)
- Re: Windows Oday release ge (Jun 14)
- Re: Windows Oday release ge (Jun 12)