1 year to fix a critical vuln [WAS: Heap Overflow in Oracle 9iAS .....]

["Hugh Mann" <hughmann () hotmail com>]

> Vulnerability History
> ---------------------
>
>
>     DATE                                INFO
> -------------    ------------------------------------------------------
> 17 April 2003    Vulnerability Discovered
> 22 April 2003    Contacted CERT
> 23 April 2003    Contacted Oracle                 23 April 2003    CERT 
> Replied - Assign VU#643985
> 12 March 2004    Oracle Security Alert #66 Rev.1 Released                 2 
> April 2004    Oracle Security Alert #66 Rev.2 Released with Credits
>  8 April 2004    Public Advisory Released to                  
> bugtraq () securityfocus com                  vulnwatch () vulnwatch org
>                  full-disclosure () lists netsys com

What a world we live in when it takes one year for a company to fix their 
bug and the company reporting the vuln doesn't care it takes a year either. 
Waiting a year to fix a vuln is NOT security. Fix it ASAP.

I know why this happened. These so called security companies, and you know 
who you are, are too afraid to put more pressure on the companies hiring 
amateur programmers. They're afraid someone will say they're helping hackers 
by releasing their advisories if Buggy Company Ltd. doesn't fix the bug in 
time so they wait and wait and wait. What the hell happened to max 30 days? 
Which company will be first to wait 2 years to fix a vuln?

_________________________________________________________________
Tax headache? MSN Money provides relief with tax tips, tools, IRS forms and 
more! http://moneycentral.msn.com/tax/workshop/welcome.asp

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html