openssl exploit code

[ib () clusterfsck net (Isaak Bloodlore)]

Quoting Florian Weimer (Weimer () CERT Uni-Stuttgart DE):

> Bugtraq will follow the industry norms for security disclosures, like
> it does now.  There are always delays, even with Bugtraq: A security
> vulnerability has to be verified, and the vendor has to be alarmed.
> Typically, the vendor gets a grace period to develop a patch.  We will
> keep this standard.

So, here's the three price winning questions:

for $250,000: Was the person giving this interview talking out of his
or her behind? I.e. some misled M$-humping marketdroid?

for $500,000: What's the industry norm, Symantec's talking about?
Unless I missed something, M$ for example is _not_ the industry.

for $1,000,0000: If a poster elects to give a vendor this grace period
himself, e.g. notifies the vendor, waits the standard seven days for
responses, will Symantec publish advisories and proof-of-concept code
right away? Will there be differences between, say, Microsoft and the
Apache consortium in how long this "grace period" is?

And lastly, is Bugtraq bound to the same restrictions and regulations,
Symantec in general as a member of the Microsoft Security Suppression
Cabal is?

-- me

-- 
a=[8,16,20,29,78,65,2,14,26,12,12,28,71,114,12,13,12,82,72,21,17,4,10,2,95]
        a.each_with_index{|x,i| $><<(x^'Begin landing your troops'[i]).chr}