Full Disclosure mailing list archives

Re: How much time is appropriate for fixing a bug?

From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Mon, 9 Jul 2012 15:10:44 +0200

"Thor (Hammer of God)" <thor () hammerofgod com> wrote:

I must not have articulated my point properly as it looks like we are both
saying the same thing.


No, we still disagree.

What I was trying to convey was that if a person was actually concerned
about the "industry" as opposed to self-promotion and ego-substantiation,
then they would just notify the vendors and then get on with their lives
irrespective of the vendors' ultimate remedy.


CVE can be shut down?

If bugs and vulnerabilities were not published there is
a) no (or little) incentive for the "industry" to fix them
b) no long term record to measure the "quality" of their products.

As you say, there are any number of reasons why a vendor will or won't
fix a bug, and/or when they will or won't fix it.


As long as they don't fix known vulnerabilities and bugs their products
are defective, and consumers can ask for a fix, a compensation or return
the defective products and get their money back.

The "researcher" will never know the requirements or considerations.


There is no need to know the "industries" requirements or considerations.
As long as they continue to ship products which have not been built
according to the state of the art there is a need to push the "industry"
but to do so. Software engineering was coined almost 45 years ago!

In that respect, you have to "trust" the vendor -


Cf. Ken Thompsons "reflections on trusting trust".
As long as nobody except the vendor knows their own design, test and
build process there is no way of building trust ... except by judging
the "quality" of their products and their response to vulnerability and
bug reports.

again, *IF* you are not concerned with self promotion.


I'm but concerned about the lack of due diligence some vendors exercise
when they build their products.

Yes, bugs happen, and bugs get fixed. But some vendors make the same
mistakes over and over again. Which can only lead to the following
conclusions:
a) they dont have control or oversight over their developers and their
   build processes.
b) they dont care.

When a vendor fixes a bug, why do people then post details on their find
once it is patched?  For recognition.


Yes, for recognition of vulnerabilities and bugs, and for transparency,
and for the sake of the "market"!
Not all vendors publish their change logs and name the fixed vulnerabilities
and bugs.

Compare it to "food watch" or other activities to inform customers about
the "quality" of "industry" products!
Or just to create "public opinion".

I'm not saying there's anything wrong with it - I've done it myself,
purely for the reason of getting some acknowledgment.  I was just
commenting on the "honesty" of Joro's "fuck 'em" comment.

I think any more on the subject will just result in another flare-up of FD
vs RD vs FO vs GGF, so I'll probably not spend too much more time on the
thread - but please feel free to add whatever you may think I've missedS.


Stefan

On 7/8/12 5:07 AM, "Stefan Kanthak" <stefan.kanthak () nexgo de> wrote:

"Thor (Hammer of God)" <thor () hammerofgod com> wrote:

| Content-Type: multipart/mixed; boundary="===============0734760750=="

Please stop posting anything but text/plain.

If you really care about the security of the industry, then submit it
and
be done with it.  If and when they fix it is up to them.


OUCH!?
The "industry" will (typically) not fix any error if the cost for fixing
exceeds the loss (or revenue) that this fix creates, including the vendors
gain/loss of reputation, gain/loss of stock value, loss of money in court
cases or due to compensations, loss of (future) sales due to
(dis-)satisfied
customers, ...

Joe Average can't tell the difference between a program which is designed,
developed, built and maintained according to the state of the art, and
some
piece of crap that is not. He but only sees the (nice or promising) GUI of
the product and it's price tag.

Stefan Kanthak


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: How much time is appropriate for fixing a bug?, (continued)
- - - Re: How much time is appropriate for fixing a bug? Peter Dawson (Jul 06)
    - Re: How much time is appropriate for fixing a bug? Thor (Hammer of God) (Jul 06)
    - Re: How much time is appropriate for fixing a bug? Laurelai (Jul 06)
    - Re: How much time is appropriate for fixing a bug? Gary Baribault (Jul 06)
    - Re: How much time is appropriate for fixing a bug? Georgi Guninski (Jul 07)
    - Re: How much time is appropriate for fixing a bug? Thor (Hammer of God) (Jul 07)
    - Re: How much time is appropriate for fixing a bug? Kurt Ellzey (Jul 09)
    - Re: How much time is appropriate for fixing a bug? Georgi Guninski (Jul 08)
    - Re: How much time is appropriate for fixing a bug? Stefan Kanthak (Jul 09)
    - Re: How much time is appropriate for fixing a bug? Thor (Hammer of God) (Jul 08)
    - Re: How much time is appropriate for fixing a bug? Stefan Kanthak (Jul 09)
    - Re: How much time is appropriate for fixing a bug? Georgi Guninski (Jul 09)
    - Re: How much time is appropriate for fixing a bug? Thor (Hammer of God) (Jul 09)
    - Re: How much time is appropriate for fixing a bug? Григорий Братислава (Jul 09)
    - Re: How much time is appropriate for fixing a bug? valdis . kletnieks (Jul 09)