Re: ISS Apache Advisory Response

[Mike Eldridge <diz () cafes net>]

On Thu, Jun 20, 2002 at 06:06:03PM -0400, Klaus, Chris (ISSAtlanta) wrote:
> There has been a lot of misinformation spread about our ISS Apache Advisory
> and wanted to clean up any confusion and misunderstanding.
>  
> 1)      Our policy for publishing advisories is to give a vendor 30 to 45
> day quiet period to provide an opportunity to create a patch or work around.
> If an exploit for the vulnerability appears in the wild, or a patch and
> work-around is provided by the vendor or ISS X-Force, this quiet period is
> disregarded and the ISS X-Force advisory is published immediately.
>  
> In the case of this advisory, ISS X-Force provided an Apache patch and did
> not see a need for a long quiet period.

this is a poor justification and is showing extreme disrespect to the
apache project.

if there was a hole in my software package abc, responsibility for
closing the hole is up to *me*, not you.  i would find it extremely
disrespectful and irresponsible if you released an advisory and provided
your *own* patch for it, no matter if it closed the hole or not.

what if your patch caused more problems than it fixed, which is possible
since it's extremely doubtful that you would have more intimate
knowledge of the project than the principal developers do.

the responsibility is the developers', not yours.

-mike

------------------------------------------------------------------------
   /~\  the ascii                         subvert the dominant paradigm
   \ /  ribbon campaign
    X   against html
   / \  email!