Re: NISCC's culmination of sitting on an ISAKMP vulnerability for 4 months

[Florian Weimer <fw () deneb enyo de>]

* Dave Aitel:

> And SPIKE and PeachFuzz are free, after all, as long as your corporate 
> guidelines don't prohibit you from using GPL software the way MS's does. :>

There never was an anti-GPL policy at Microsoft.  Moreover, GCC is the
system compiler of Interix. 8-)

A couple of years ago, they simply had a lot of trouble attracting
people with broad cross-platform skills (outside Microsoft Research,
of course).  I wouldn't feel comfortable integrating obscure software
running on obscure platforms (which nobody on my team knows in detaiL)
into my development process, either.

Regarding the lack of CVE IDs, I'd bet that vendors don't tell each
other which bugs in which code the test suite has uncovered, which
means that you cannot assign meaningful CVE IDs.  AFAIK, MITRE isn't
too happy about shotgun testing and the mess it causes.