WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Oracle in war of words with security researcher

From: robert () dyadsecurity com
Date: Thu, 26 Jan 2006 19:52:23 -0800
bugtraq () cgisecurity net(bugtraq () cgisecurity net)@Thu, Jan 26, 2006 at 12:48:18PM -0500:

I'm all for giving plenty of time to fix a flaw, but 650-800 days is a little crazy....


The worst part is very few customers were even allowed to be aware of
the exposed problem for that time.  It's one thing to take a long time
to develop a patch; it's quite another to withhold critical security
information from people who could at least make better policy decisions
with the vulnerability information sans patch.

I think it's in the end users best interest to get the vulnerability
information directly from those discovering the problems in a timely
manner, rather that wait until a patch is available from the vendor. 
This isn't picking on Oracle, this is true for all vulnerabilities in
widely used publicly available products.

Robert

-- 
Robert E. Lee
CIO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert () dyadsecurity com
M - (949) 394-2033

-------------------------------------------------------------------------
This List Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. See for yourself. 
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: