Quote:
Originally Posted by charleski
There are industry standards for responsible disclosure of security bugs. The time allowed for a patch varies from 45 days to 3 months or more. It is irresponsible and inaccurate to label these as 'threats', and this mechanism does work in stimulating a response to the defects discovered. |
There are industry policies followed by established organizations, agreed.
But the context got lost (our comments on NoExpert's post).
A statement like:
"If not fixed by <deadline> then we will do <something>" is a threat.
I think that you will see that our rational in withholding publication while the vendor has time to evaluate the situation is exactly the same as the cert's description of their policy.
Both the first and second paragraphs of the page you linked to.
The only significant difference is the author has not published an exact time period.
The reasoning here is that a responsible vendor does not need to be pressured into correcting a potentially harmful software error.
If it needs fixing (in the vendor's opinion), then it will get fixed.
And just for the record, here is the last time our members found an exploitable error:
http://www.kb.cert.org/vuls/id/122656
https://web.nvd.nist.gov/view/vuln/d...=CVE-2012-4248
https://web.nvd.nist.gov/view/vuln/d...=CVE-2012-4249
If the vendor feels they need a specific amount of working time, then they will coordinate that with the author.
I can think of no reason that the author need publish any of those negotiations.
Also, keep in mind that Amazon/Lab126 actively follows the discussions on this site.
A thread that gathers an average of 1,000 views per day gets their attention.