No Subject

["mitch_hurrison () ziplip com" <mitch_hurrison () ziplip com>]

Steven M. Christey (coleymitre.org) said:
> Michal Zalewski said:
> > The cycle of a vulnerability from discovery to publication (or leak)
> > is probably around two weeks to one month on average
>
> This is probably the case, based on some incomplete statistical work
> that I attempted based on published disclosure timelines from the
> first half of 2002. The extremes also appear frequently, whether the
> issues are fixed within 15 minutes or 6 months. And yes Virginia,
> sometimes even open source vendors can take more than 6 months to fix
> some bugs.
>
> - Steve


I notice this general lack of strength in your arguments when you
delve into "statistics." By these lines of reasoning, the average
time of disclosure of a WWII submarine was 2 days to a week on average,
and the best way to find one would be to publish your shipping schedule
in German newspapers.

Lcamtuf, of course, knows better, but even someone entirely unconnected
with the "underground" could see that the sadmind bug had been unleaked
for years now, and there's no good evidence to point to to say that this
is an outlier.

With regards,
Mitch


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html