Notifying Vendors

[kerb () FNUSA COM (Kerb)]

With the bit of talk of notifying vendors in the past day or two,
I thought I might throw in my $0.02 and how I do things.

Notification and how long you wait for response should be
dependant on usage of the software.  For example, the WU-FTPD
hole in 2.5.0.  No exploit has been released to date, even though
2.6.0 is out.  Its a widespread package that would affect a LOT
of systems if the exploit was just tossed out without giving
the vendors time to come up with at least a temporary fix
better than "disable FTP".  I believe that notification is _almost_
always necessary (except in rare cases like my Alibaba CGI
bugs, because Alibaba had already demonstrated their lack of
interest in security of their software).  So basically what I'm
trying to say is the time you wait for a response from the
vendor (and/or a patch released) should depend on the
severity of the hole and how widespread it will be.

-Kerb-