Re: How much time is appropriate for fixing a bug?

[Gary Baribault <gary () baribault net>]

Hey Georgi,

    Didn't take your happy pill this morning?

    I would say that the answer depends on how the owner/company answers
you, if you feel that their stringing you along and you have given them
some time, then warn them that your publishing, give them 24 hours and
then go for it. Obviously it depends on the bug and the software, I
major bug in a large program will take longer, and so long as they are
talking to you, and you don't miss your morning happy pill, you can
wait, a small bug in a small program shouldn't take as long. There is no
one answer to your question, if you are having an interactive discussion
with them, then be patient, otherwise, Georgi's answer is a good one if
they are ignoring you or stringing you along.


Gary B

On 07/06/2012 10:33 AM, Georgi Guninski wrote:
> On Wed, Jul 04, 2012 at 10:49:18PM +0200, Jann Horn wrote:
> > After having reported a security-relevant bug about a smartphone, how
long would
> > you wait for the vendor to fix it? What are typical times?
> >
> > I remember telling someone about a security-relevant bug in his
library some time
> > ago - he fixed it and published the fixed version within ten minutes.
On the
> > other hand, I often see mails on bugtraq or so in which the given
dates show that
> > the vendor took maybe a year or so to fix the issue...
>
>
>
>
> when i was young i asked a similar question.
>
> if you ask me now, the short answer is "fuck them, if you are
> killing a bug the time is completely up to you."
> responsible disclosure is just a buzzword (the RFC on
> it failed).
>
> you have bugs, they don't have.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/