Am 06.02.2012 17:10, schrieb Michael Morris: > > > On Mon, Feb 6, 2012 at 10:32 AM, Reindl Harald <h.rei...@thelounge.net > <mailto:h.rei...@thelounge.net>> wrote: > > first: do not top-post if you get a reply below > > second: > in the context of suhosin "when mistakes get made by such a person, > they are hidden away rather than honestly reported" is bullshit > at it's best > > * look at the disclosure below > * look at the author > * look at the way it was made > > if only 10% of developers would work like Stefan most software > out there would be much better as it is and was all the last years > and if someone has this attitude and knowledge is see no single > problem and understand fully that he is frustrated > _______________ > > Author: Stefan Esser [stefan.esser[at]sektioneins.de > <http://sektioneins.de>] > > Disclosure Timeline: > 12. January 2012 - Vulnerability was found during an internal audit > 14. January 2012 - Vulnerability was fixed in the source code > 19. January 2012 - Public Disclosure > > > This underscores my fears. Public disclosure was only made once the fix was > composed seven days after > discovery, and that's presuming the stated date of discovery is honest. As it > is an "internal" audit, who knows > other than Stefan? You can take his word. I won't.
if you anwer to a list mail answer to the list and not private damend! would it have been better to make a full disclosure before having a fix to help attackers? if this is your opinion you are a foolsih idiot, sorry but no other words for that this does even not happen if the one found a exploit notifies the vendor of the software and especially not if the one who found IS the vendor and the one who will fix it you said "when mistakes get made by such a person, they are hidden away rather than honestly reported" which is NOT underscored because if it would be the truth the disclosure from Stefan would not exist and he only had released a new version with a "fixed some small bugs" comments and not more
signature.asc
Description: OpenPGP digital signature
