On Fri, Jun 21, 2002 at 04:15:53PM -0400, Klaus, Chris (ISSAtlanta) wrote: > 1) We did notify Apache before going public. ISS X-Force emailed > Apache in the morning at 9:44am regarding this Advisory. We waited until > the afternoon before sending to Bugtraq for approval and finally reaching [snip] > We are currently working with another major vulnerability dealing with > an open-source vendor whereby we both are coordinating and cooperating > and shrinking the 30 day quiet period significantly
Well, I can't argue that a couple of hours isn't significantly shorter than 30 days. I do think it's still somewhat unclear why this second "open-source vendor" gets the courtesy of coordination and cooperation, but the apache group got effectively blindsided. If anything, your second "clarification" seems to contradict your first "response" that the apache project couldn't be trusted with coordination, "due to the general nature of open-source." This seems more like 'obfuscation' and 'covering' than 'clarification'. -- Mike Stone
