Full Disclosure mailing list archives
How many vendors knowingly ship GA product with security vulnerabilities?
From: "Bill Stout" <bill.stout () greenborder com>
Date: Wed, 3 May 2006 22:23:42 -0700
Hello all, Here's a question which is Full Disclosure specific. It's a given that a vendor issues a patch for a vulnerability within a few days to a couple of weeks from date of vendor notification, after which all bets are off as far as public disclosure. Well, after some period of time (from 30days to vendor requested period?). If a patch is ready in just a few days, and QA for a patch takes several weeks, it would seem the vendor already knew about the vulnerability and had a fix ready, either for next release or vulnerability discovery, which ever came first. Otherwise the fix would take weeks to test and release in order to test all compatibilities related to the bug fix, correct? So, my question is, if the vendor knew about vulnerabilities before a product was released, why wouldn't they simply delay the ship a few days in order to QA the patch for vulnerabilities they already knew about? Do vendors roll the dice on discoverability? Bill Stout
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- How many vendors knowingly ship GA product with security vulnerabilities? Bill Stout (May 03)
- Re: How many vendors knowingly ship GA product with security vulnerabilities? Valdis . Kletnieks (May 03)
- <Possible follow-ups>
- RE: How many vendors knowingly ship GA product with security vulnerabilities? Bill Stout (May 04)
- Re: How many vendors knowingly ship GA product with security vulnerabilities? Valdis . Kletnieks (May 04)