[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] How much time is appropriate for fixing a bug?

To: Jann Horn <jannhorn@xxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] How much time is appropriate for fixing a bug?
From: Georgi Guninski <guninski@xxxxxxxxxxxx>
Date: Fri, 6 Jul 2012 17:33:26 +0300

On Wed, Jul 04, 2012 at 10:49:18PM +0200, Jann Horn wrote:
> After having reported a security-relevant bug about a smartphone, how long 
> would
> you wait for the vendor to fix it? What are typical times?
> 
> I remember telling someone about a security-relevant bug in his library some 
> time
> ago - he fixed it and published the fixed version within ten minutes. On the
> other hand, I often see mails on bugtraq or so in which the given dates show 
> that
> the vendor took maybe a year or so to fix the issue...

when i was young i asked a similar question.

if you ask me now, the short answer is "fuck them, if you are
killing a bug the time is completely up to you." 
responsible disclosure is just a buzzword (the RFC on
it failed).

you have bugs, they don't have.

-- 
good luck

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] How much time is appropriate for fixing a bug?
  - From: Gary Baribault

References:
- [Full-disclosure] How much time is appropriate for fixing a bug?
  - From: Jann Horn

Prev by Date: [Full-disclosure] [ MDVSA-2012:102 ] krb5
Next by Date: [Full-disclosure] [SECURITY] CVE-2012-2138 Apache Sling denial of service vulnerability
Previous by thread: Re: [Full-disclosure] How much time is appropriate for fixing a bug?
Next by thread: Re: [Full-disclosure] How much time is appropriate for fixing a bug?
Index(es):
- Date
- Thread