How many vendors knowingly ship GA product with security vulnerabilities?

["Bill Stout" <bill.stout () greenborder com>]

Hello all,

Here's a question which is Full Disclosure specific.

It's a given that a vendor issues a patch for a vulnerability within a
few days to a couple of weeks from date of vendor notification, after
which all bets are off as far as public disclosure.  Well, after some
period of time (from 30days to vendor requested period?).  

If a patch is ready in just a few days, and QA for a patch takes several
weeks, it would seem the vendor already knew about the vulnerability and
had a fix ready, either for next release or vulnerability discovery,
which ever came first.  Otherwise the fix would take weeks to test and
release in order to test all compatibilities related to the bug fix,
correct?

So, my question is, if the vendor knew about vulnerabilities before a
product was released, why wouldn't they simply delay the ship a few days
in order to QA the patch for vulnerabilities they already knew about?  

Do vendors roll the dice on discoverability?

Bill Stout


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/