Re: How much time is appropriate for fixing a bug?

["Thor (Hammer of God)" <thor () hammerofgod com>]

I already covered that – if they don't fix it, the publish it.   Also, if a vendor has a "venerability" to the 
community, then they would obviously fix it.

There's no "responsibility" to disclose anything.   FD doesn't exist to satisfy some requirement for researchers to 
publish vulnerability – it exists so that people can market themselves.   The "we must disclose this so that people 
will know and they can protect themselves" is simply a justification for the aforementioned.    These people don't give 
a fat fuck about the industry or protecting other people.   If they did, they would just post "hey, there's a vuln in 
this product, email me and I'll tell you about it."  When no-one emails them (because this limited audience doesn't 
care) they don't get their "deserved cred" and post it.

Nobody cares, and nobody remembers…  his FD will simply be another tit in the peep show.  People like 0DayInit and 
Litchfield did it the SMART way.  They have a client base who have purchased a product to protect them from these 
vulnerabilities.  People who purchase the product are protected in the meantime, as the vuln is actually addressed in 
the product.  It actually works in their favor of the vendor to take longer as it makes the product more valuable.


Vendors want "responsible disclosure" so they can assign priority to plan release cadence.  Disclosures want 
recognition, or payment, or both.   Each will do what is in their own best interest.  But let's not pretend it is 
anything other than what it is.

t



From: Peter Dawson <slash.pd () gmail com<mailto:slash.pd () gmail com>>
Date: Friday, July 6, 2012 10:24 AM
To: Timothy Mullen <thor () hammerofgod com<mailto:thor () hammerofgod com>>
Cc: "full-disclosure () lists grok org uk<mailto:full-disclosure () lists grok org uk>" <full-disclosure () lists grok 
org uk<mailto:full-disclosure () lists grok org uk>>
Subject: Re: [Full-disclosure] How much time is appropriate for fixing a bug?

Thor (Hammer of God) : <If and when they fix it is up to them.>

so if vendor don't fix it /ack the bug.. then what ??
Responsibility works both ways.. Advise the vendor.. if they say fuck it.. I say fuck u.. and will advise the community 
!

There is a responsibility to disclose a venerability to the community so that they can take down/block /deactivate a 
service .

".All that is necessary for the triumph of evil is that good men do nothing. " -whoever ..fuck it !

/pd


On Fri, Jul 6, 2012 at 12:46 PM, Thor (Hammer of God) <thor () hammerofgod com<mailto:thor () hammerofgod com>> wrote:
Well, I have to say, at least he's being honest.  If the guy is chomping at the bit to release the info so he can get 
some attention, then let him.  That, of course, is what it is all about.   He's not releasing the info so that the 
community can be "safe" by "forcing" the vendor to fix it.  He's doing it so people can see how smart he is and that he 
found some bug.   So Joro's reply of "fuck em" is actually refreshingly honest.

Regarding "how long does it take," it is completely impossible to tell.  If someone fixed it in 10 minutes, good for 
them.  It could take someone else 10 months.   Any time I see things like Wikipedia advising things like "5 months" I 
have to lol.  They have no freaking idea whatsoever as to the company's dev processes and the extend that the fix could 
impact legacy code or any number of other factors.   I would actually have expected code bug-finders to have a better 
clue about these things, but apparently they don't.

MSFT's process is nuts – they have SO many dependancies, so many different products with shared code, so many legacy 
products, so many vendors with drivers and all manner of other stuff that the process is actually quite difficult and 
time consuming.  Oracle is worse – they have the same but multiplied by x platforms.  Apple I think has it the 
"easiest" of the big ones, but even OSX is massively complex (and completely awesome).

It is all about intent:  if you want to be recognized publicly for some fame or whatever, just FD it because chances 
are you will anyway.   If you really care about the security of the industry, then submit it and be done with it.  If 
and when they fix it is up to them.

t



From: Gary Baribault <gary () baribault net<mailto:gary () baribault net>>
Date: Friday, July 6, 2012 7:59 AM
To: "full-disclosure () lists grok org uk<mailto:full-disclosure () lists grok org uk>" <full-disclosure () lists grok 
org uk<mailto:full-disclosure () lists grok org uk>>
Subject: Re: [Full-disclosure] How much time is appropriate for fixing a bug?

Hey Georgi,

    Didn't take your happy pill this morning?

    I would say that the answer depends on how the owner/company answers you, if you feel that their stringing you 
along and you have given them some time, then warn them that your publishing, give them 24 hours and then go for it. 
Obviously it depends on the bug and the software, I major bug in a large program will take longer, and so long as they 
are talking to you, and you don't miss your morning happy pill, you can wait, a small bug in a small program shouldn't 
take as long. There is no one answer to your question, if you are having an interactive discussion with them, then be 
patient, otherwise, Georgi's answer is a good one if they are ignoring you or stringing you along.


Gary B

On 07/06/2012 10:33 AM, Georgi Guninski wrote:
> On Wed, Jul 04, 2012 at 10:49:18PM +0200, Jann Horn wrote:
> > After having reported a security-relevant bug about a smartphone, how long would
> > you wait for the vendor to fix it? What are typical times?
> >
> > I remember telling someone about a security-relevant bug in his library some time
> > ago - he fixed it and published the fixed version within ten minutes. On the
> > other hand, I often see mails on bugtraq or so in which the given dates show that
> > the vendor took maybe a year or so to fix the issue...
>
>
>
>
> when i was young i asked a similar question.
>
> if you ask me now, the short answer is "fuck them, if you are
> killing a bug the time is completely up to you."
> responsible disclosure is just a buzzword (the RFC on
> it failed).
>
> you have bugs, they don't have.




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/