"Jean-Marc Desperrier" <[EMAIL PROTECTED]> wrote > There's only one point I would criticize in Mikx's method, it's the fact > he discloses the problems so fast after a fix has been found.
The patches were checked-in into public CVS. People creating malware follow CVS updates closely and know everything they need based an the patch and comments. If something goes into public CVS i consider it therefore public and it should be adressed by an advisory as soon as possible. I have no problem with keeping and unpatched bug a secret. I kept #260560 secret for 3 months before releasing a public advisory - and requested multiple status reports before (with no success). But silent CVS check-ins are just security by obscurity. mikx _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
