Re: it\'s all about timing

[full-disclosure () lists netsys com (Steven M. Christey)]

"Robert A. Seace" <ras () slartibartfast magrathea com> said:

> >   3.3.1 Vendor Responsibilities
> >
> >      7) The Vendor SHOULD recognize that inexperienced or malicious
> >      reporters may not use proper notification, and define its own
> >      procedures for handling such cases. 
>
>       Why must they automatically be labelled either "inexperienced"
> or "malicious", if they don't choose to follow the chosen guidelines??
> Suppose they simply disagree with those guidelines?  They may feel
> it's not THEIR job to spend a large portion of their time trying to
> educate the vendor about their own broken software...
>
> ... if you're still modifying this "policy", I would really
> suggest changing that language...  Just drop the whole labelling
> of such people, and simply say something like, "Some reporters
> may not follow these guidelines for notification."...

Good point, duly noted.

Many of the items in the draft try to give a rationale for why the
item is there.  In this case, the rationale is mixed with the
recommendation, and as you point out, it's incomplete anyway.  There
are a number of reasons why someone may not use "proper" notification.

Thanks,
- Steve