Full Disclosure mailing list archives

Re: How much time is appropriate for fixing a bug?

From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Mon, 9 Jul 2012 06:14:33 +0000

I must not have articulated my point properly as it looks like we are both
saying the same thing.

What I was trying to convey was that if a person was actually concerned
about the "industry" as opposed to self-promotion and ego-substantiation,
then they would just notify the vendors and then get on with their lives
irrespective of the vendors' ultimate remedy.  As you say, there are any
number of reasons why a vendor will or won't fix a bug, and/or when they
will or won't fix it.  The "researcher" will never know the requirements
or considerations.  In that respect, you have to "trust" the vendor -
again, *IF* you are not concerned with self promotion.

When a vendor fixes a bug, why do people then post details on their find
once it is patched?  For recognition.  I'm not saying there's anything
wrong with it - I've done it myself, purely for the reason of getting some
acknowledgment.  I was just commenting on the "honesty" of Joro's "fuck
'em" comment.  

I think any more on the subject will just result in another flare-up of FD
vs RD vs FO vs GGF, so I'll probably not spend too much more time on the
thread - but please feel free to add whatever you may think I've missedŠ.

t

On 7/8/12 5:07 AM, "Stefan Kanthak" <stefan.kanthak () nexgo de> wrote:

"Thor (Hammer of God)" <thor () hammerofgod com> wrote:

| Content-Type: multipart/mixed; boundary="===============0734760750=="

Please stop posting anything but text/plain.

If you really care about the security of the industry, then submit it
and
be done with it.  If and when they fix it is up to them.


OUCH!?
The "industry" will (typically) not fix any error if the cost for fixing
exceeds the loss (or revenue) that this fix creates, including the vendors
gain/loss of reputation, gain/loss of stock value, loss of money in court
cases or due to compensations, loss of (future) sales due to
(dis-)satisfied
customers, ...

Joe Average can't tell the difference between a program which is designed,
developed, built and maintained according to the state of the art, and
some
piece of crap that is not. He but only sees the (nice or promising) GUI of
the product and it's price tag.

Stefan Kanthak


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: How much time is appropriate for fixing a bug?, (continued)
- - - Re: How much time is appropriate for fixing a bug? Thor (Hammer of God) (Jul 06)
    - Re: How much time is appropriate for fixing a bug? Peter Dawson (Jul 06)
    - Re: How much time is appropriate for fixing a bug? Thor (Hammer of God) (Jul 06)
    - Re: How much time is appropriate for fixing a bug? Laurelai (Jul 06)
    - Re: How much time is appropriate for fixing a bug? Gary Baribault (Jul 06)
    - Re: How much time is appropriate for fixing a bug? Georgi Guninski (Jul 07)
    - Re: How much time is appropriate for fixing a bug? Thor (Hammer of God) (Jul 07)
    - Re: How much time is appropriate for fixing a bug? Kurt Ellzey (Jul 09)
    - Re: How much time is appropriate for fixing a bug? Georgi Guninski (Jul 08)
    - Re: How much time is appropriate for fixing a bug? Stefan Kanthak (Jul 09)
    - Re: How much time is appropriate for fixing a bug? Thor (Hammer of God) (Jul 08)
    - Re: How much time is appropriate for fixing a bug? Stefan Kanthak (Jul 09)
    - Re: How much time is appropriate for fixing a bug? Georgi Guninski (Jul 09)
    - Re: How much time is appropriate for fixing a bug? Thor (Hammer of God) (Jul 09)
    - Re: How much time is appropriate for fixing a bug? Григорий Братислава (Jul 09)
    - Re: How much time is appropriate for fixing a bug? valdis . kletnieks (Jul 09)