Bugtraq mailing list archives

Re: IBM TFTP Server for Java vulnerability


From: "David Howe" <DaveHowe () Bigfoot com>
Date: Mon, 23 Jul 2001 18:51:12 +0100

Just because a company can't tell you immediately when a bug will be
fixed, you say that you are being ignored and see fit to release an
advisory?  Do you have any idea how easy the problem will be to fix?
Probably not, and I bet IBM would have to do some research first, finding
out what code contains the problem, allocating developers, build
personnel, and QA the fix before even they know when a fix will be out.
Sheesh.
  well, as I read it, he hasn't had any contact beyond an initial "we will
look at it" for a month. a month is a long time for an outstanding
vunerability if it becomes public knowledge. Surely he deserves to be at
least "kept in the loop" and get replies to status queries, if only to be
told the email address of an engineer the problem has been assigned to?
  I would question exactly how much time a noncomittal "we will look at it"
followed up by ignoring further emails on the subject should buy a company -
a month is a reasonable time for a vunerability to be at least confirmed and
the engineer responsible to contact the person submitting the report and ask
for a longer extension to get a patch ready; much longer and it could be a
case of the company just dropping the matter and hoping it gets fixed in the
next major release, which we have all seen before.


Current thread: