Full Disclosure mailing list archives
Re: Full-Disclosure Digest, Vol 89, Issue 10
From: SMiller () unimin com
Date: Mon, 9 Jul 2012 11:00:32 -0400
My disclosure concerns as a user are twofold. When it comes to serious and readily exploitable vulnerabilities, I want to be informed in the minimum period of time that allows the vendor to investigate and acknowledge, and either repair immediately, or give a definite, short-term timetable for doing so, in order to allow me to implement my own safeguards, if necessary (which seems to be what has been addressed in this thread up until now) To me, 30 days should be at least adequate in such cases. I also want to keep track of historical responses by vendors to bugs of all kinds so that I can identify those vendors who have terribly inadequate development cycles, standards, and practices. Those vendors I want to completely avoid in the future to the extent possible. -S. Miller
full-disclosure-bounces () lists grok org uk wrote on 07/09/2012 07:00:01
AM:
From: full-disclosure-request () lists grok org uk To: full-disclosure () lists grok org uk Date: 07/09/2012 06:58 AM Subject: Full-Disclosure Digest, Vol 89, Issue 10 Sent by: full-disclosure-bounces () lists grok org uk Today's Topics: 9. Re: How much time is appropriate for fixing a bug? (Georgi Guninski) ---------------------------------------------------------------------- Message: 9 Date: Mon, 9 Jul 2012 13:20:11 +0300 From: Georgi Guninski <guninski () guninski com> Subject: Re: [Full-disclosure] How much time is appropriate for fixing a bug? To: Stefan Kanthak <stefan.kanthak () nexgo de> Cc: full-disclosure () lists grok org uk Message-ID: <20120709102011.GA1988@sivokote.iziade.m$> Content-Type: text/plain; charset=us-ascii On Sun, Jul 08, 2012 at 02:07:52PM +0200, Stefan Kanthak wrote:"Thor (Hammer of God)" <thor () hammerofgod com> wrote: | Content-Type: multipart/mixed;
boundary="===============0734760750=="
Please stop posting anything but text/plain.If you really care about the security of the industry, then submit
it and
be done with it. If and when they fix it is up to them.OUCH!? The "industry" will (typically) not fix any error if the cost for
fixing
exceeds the loss (or revenue) that this fix creates, including the
vendors
gain/loss of reputation, gain/loss of stock value, loss of money in
court
cases or due to compensations, loss of (future) sales due to
(dis-)satisfied
customers, ... Joe Average can't tell the difference between a program which is
designed,
developed, built and maintained according to the state of the art, and
some
piece of crap that is not. He but only sees the (nice or promising)
GUI of
the product and it's price tag. Stefan Kanthaki agree that Thor is writing pure corporate crap. note that he is contradicting himself: in another thread he wrote basically "people do stuff for money and getting laid". in this thread he is using the buzzwords "self promotion"/ "ego-substantiation" which don't appear to fit the above model of motivation and are certainly wrong for most members of FD. probably in the next thread he will use the buzzword "irresponsible". i suppose in his glass house world he expects hackers to give the 0days to vendors and keep silent, busting vendors profits for free so they don't accused of the ego related irresponsible crimes. f*ck it, i expect the final usa crisis to partially fix the model. ------------------------------ End of Full-Disclosure Digest, Vol 89, Issue 10 ***********************************************
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Full-Disclosure Digest, Vol 89, Issue 10 SMiller (Jul 09)