On 2007-06-13 13:03-0400, Steven M. Christey wrote:
The time line is also interesting, BTW:
Disclosure timelines are some of the most entertaining and educational
reading in security advisories. There's now (finally) enough data for
somebody somewhere to do a quantitative study on reported timelines,
including typical vendor response times, and issues in the process. (If
someone wants to pursue this, feel free to contact me to bat ideas
around.)
A lot of researcher timelines show a delay between the original discovery
and vendor notification. In some cases, this can be due to additional
time required to prove that the discovery is exploitable in order to give
a more reliable report to the vendor, but that's not always the case.
Thomas Lim though knows what he is doing and willing to stand behind
what he reports. Nowadays the vendors I am worried about are the open
source ones.
This is not about lost maintainers or non-existent patches, that's been
done to death. Reporting vulnerabilities to distributions can be so
depressing - and the replies you get (if any) are so annoying, that if
it was from Microsoft, they would have been grilled in the press already
for them.
- Steve
Gadi.
