Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How much time is appropriate for fixing a bug?

From: Gary Baribault <gary () baribault net>
Date: Fri, 06 Jul 2012 15:00:50 -0400
That's about what I was saying, assuming that the one who found the bug
isn't into instant gratification, and the vendor is playing ball 
communicating and you feel that they are really working on it, then sit
on it, you'll get your 15 minutes a little later. If the vendor is stone
walling or you don't think they are really working on it, then publish,
that will get them off the dime!

Gary Baribault
Courriel: gary () baribault net
GPG Key: 0x685430d1
Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1

On 07/06/2012 01:24 PM, Peter Dawson wrote:

Thor (Hammer of God) : <If and when they fix it is up to them.>
 
so if vendor don't fix it /ack the bug.. then what ??
Responsibility works both ways.. Advise the vendor.. if they say fuck
it.. I say fuck u.. and will advise the community !
 
There is a responsibility to disclose a venerability to the community
so that they can take down/block /deactivate a service .
 
".All that is necessary for the triumph of evil is that good men do
nothing. " -whoever ..fuck it !
 
/pd

 
On Fri, Jul 6, 2012 at 12:46 PM, Thor (Hammer of God)
<thor () hammerofgod com <mailto:thor () hammerofgod com>> wrote:

    Well, I have to say, at least he's being honest.  If the guy is
    chomping at the bit to release the info so he can get some
    attention, then let him.  That, of course, is what it is all
    about.   He's not releasing the info so that the community can be
    "safe" by "forcing" the vendor to fix it.  He's doing it so people
    can see how smart he is and that he found some bug.   So Joro's
    reply of "fuck em" is actually refreshingly honest.  

    Regarding "how long does it take," it is completely impossible to
    tell.  If someone fixed it in 10 minutes, good for them.  It could
    take someone else 10 months.   Any time I see things like
    Wikipedia advising things like "5 months" I have to lol.  They
    have no freaking idea whatsoever as to the company's dev processes
    and the extend that the fix could impact legacy code or any number
    of other factors.   I would actually have expected code
    bug-finders to have a better clue about these things, but
    apparently they don't.   

    MSFT's process is nuts – they have SO many dependancies, so many
    different products with shared code, so many legacy products, so
    many vendors with drivers and all manner of other stuff that the
    process is actually quite difficult and time consuming.  Oracle is
    worse – they have the same but multiplied by x platforms.  Apple I
    think has it the "easiest" of the big ones, but even OSX is
    massively complex (and completely awesome).

    It is all about intent:  if you want to be recognized publicly for
    some fame or whatever, just FD it because chances are you will
    anyway.   If you really care about the security of the industry,
    then submit it and be done with it.  If and when they fix it is up
    to them.

    t



    From: Gary Baribault <gary () baribault net <mailto:gary () baribault net>>
    Date: Friday, July 6, 2012 7:59 AM
    To: "full-disclosure () lists grok org uk
    <mailto:full-disclosure () lists grok org uk>"
    <full-disclosure () lists grok org uk
    <mailto:full-disclosure () lists grok org uk>>
    Subject: Re: [Full-disclosure] How much time is appropriate for
    fixing a bug?

    Hey Georgi,

        Didn't take your happy pill this morning?

        I would say that the answer depends on how the owner/company
    answers you, if you feel that their stringing you along and you
    have given them some time, then warn them that your publishing,
    give them 24 hours and then go for it. Obviously it depends on the
    bug and the software, I major bug in a large program will take
    longer, and so long as they are talking to you, and you don't miss
    your morning happy pill, you can wait, a small bug in a small
    program shouldn't take as long. There is no one answer to your
    question, if you are having an interactive discussion with them,
    then be patient, otherwise, Georgi's answer is a good one if they
    are ignoring you or stringing you along.


    Gary B

    On 07/06/2012 10:33 AM, Georgi Guninski wrote:
    > On Wed, Jul 04, 2012 at 10:49:18PM +0200, Jann Horn wrote:
    >> After having reported a security-relevant bug about a
    smartphone, how long would
    >> you wait for the vendor to fix it? What are typical times?
    >>
    >> I remember telling someone about a security-relevant bug in his
    library some time
    >> ago - he fixed it and published the fixed version within ten
    minutes. On the
    >> other hand, I often see mails on bugtraq or so in which the
    given dates show that
    >> the vendor took maybe a year or so to fix the issue...
    >
    >
    >
    >
    > when i was young i asked a similar question.
    >
    > if you ask me now, the short answer is "fuck them, if you are
    > killing a bug the time is completely up to you."
    > responsible disclosure is just a buzzword (the RFC on
    > it failed).
    >
    > you have bugs, they don't have.
    >




    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: