Full Disclosure mailing list archives
Re: How much time is appropriate for fixing a bug?
From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Mon, 9 Jul 2012 06:14:33 +0000
I must not have articulated my point properly as it looks like we are both saying the same thing. What I was trying to convey was that if a person was actually concerned about the "industry" as opposed to self-promotion and ego-substantiation, then they would just notify the vendors and then get on with their lives irrespective of the vendors' ultimate remedy. As you say, there are any number of reasons why a vendor will or won't fix a bug, and/or when they will or won't fix it. The "researcher" will never know the requirements or considerations. In that respect, you have to "trust" the vendor - again, *IF* you are not concerned with self promotion. When a vendor fixes a bug, why do people then post details on their find once it is patched? For recognition. I'm not saying there's anything wrong with it - I've done it myself, purely for the reason of getting some acknowledgment. I was just commenting on the "honesty" of Joro's "fuck 'em" comment. I think any more on the subject will just result in another flare-up of FD vs RD vs FO vs GGF, so I'll probably not spend too much more time on the thread - but please feel free to add whatever you may think I've missedŠ. t On 7/8/12 5:07 AM, "Stefan Kanthak" <stefan.kanthak () nexgo de> wrote:
"Thor (Hammer of God)" <thor () hammerofgod com> wrote: | Content-Type: multipart/mixed; boundary="===============0734760750==" Please stop posting anything but text/plain.If you really care about the security of the industry, then submit it and be done with it. If and when they fix it is up to them.OUCH!? The "industry" will (typically) not fix any error if the cost for fixing exceeds the loss (or revenue) that this fix creates, including the vendors gain/loss of reputation, gain/loss of stock value, loss of money in court cases or due to compensations, loss of (future) sales due to (dis-)satisfied customers, ... Joe Average can't tell the difference between a program which is designed, developed, built and maintained according to the state of the art, and some piece of crap that is not. He but only sees the (nice or promising) GUI of the product and it's price tag. Stefan Kanthak
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: How much time is appropriate for fixing a bug?, (continued)
- Re: How much time is appropriate for fixing a bug? Thor (Hammer of God) (Jul 06)
- Re: How much time is appropriate for fixing a bug? Peter Dawson (Jul 06)
- Re: How much time is appropriate for fixing a bug? Thor (Hammer of God) (Jul 06)
- Re: How much time is appropriate for fixing a bug? Laurelai (Jul 06)
- Re: How much time is appropriate for fixing a bug? Gary Baribault (Jul 06)
- Re: How much time is appropriate for fixing a bug? Georgi Guninski (Jul 07)
- Re: How much time is appropriate for fixing a bug? Thor (Hammer of God) (Jul 07)
- Re: How much time is appropriate for fixing a bug? Kurt Ellzey (Jul 09)
- Re: How much time is appropriate for fixing a bug? Georgi Guninski (Jul 08)
- Re: How much time is appropriate for fixing a bug? Stefan Kanthak (Jul 09)
- Re: How much time is appropriate for fixing a bug? Thor (Hammer of God) (Jul 08)
- Re: How much time is appropriate for fixing a bug? Stefan Kanthak (Jul 09)
- Re: How much time is appropriate for fixing a bug? Georgi Guninski (Jul 09)
- Re: How much time is appropriate for fixing a bug? Thor (Hammer of God) (Jul 09)
- Re: How much time is appropriate for fixing a bug? Григорий Братислава (Jul 09)
- Re: How much time is appropriate for fixing a bug? valdis . kletnieks (Jul 09)