Re: [Full-disclosure] How much time is appropriate for fixing a bug?
I must not have articulated my point properly as it looks like we are both saying the same thing. What I was trying to convey was that if a person was actually concerned about the industry as opposed to self-promotion and ego-substantiation, then they would just notify the vendors and then get on with their lives irrespective of the vendors' ultimate remedy. As you say, there are any number of reasons why a vendor will or won't fix a bug, and/or when they will or won't fix it. The researcher will never know the requirements or considerations. In that respect, you have to trust the vendor - again, *IF* you are not concerned with self promotion. When a vendor fixes a bug, why do people then post details on their find once it is patched? For recognition. I'm not saying there's anything wrong with it - I've done it myself, purely for the reason of getting some acknowledgment. I was just commenting on the honesty of Joro's fuck 'em comment. I think any more on the subject will just result in another flare-up of FD vs RD vs FO vs GGF, so I'll probably not spend too much more time on the thread - but please feel free to add whatever you may think I've missedŠ. t On 7/8/12 5:07 AM, Stefan Kanthak stefan.kant...@nexgo.de wrote: Thor (Hammer of God) t...@hammerofgod.com wrote: | Content-Type: multipart/mixed; boundary0734760750== Please stop posting anything but text/plain. If you really care about the security of the industry, then submit it and be done with it. If and when they fix it is up to them. OUCH!? The industry will (typically) not fix any error if the cost for fixing exceeds the loss (or revenue) that this fix creates, including the vendors gain/loss of reputation, gain/loss of stock value, loss of money in court cases or due to compensations, loss of (future) sales due to (dis-)satisfied customers, ... Joe Average can't tell the difference between a program which is designed, developed, built and maintained according to the state of the art, and some piece of crap that is not. He but only sees the (nice or promising) GUI of the product and it's price tag. Stefan Kanthak ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How much time is appropriate for fixing a bug?
vendors know better, the messenger is guilty. design flaws are hard and expensive to fix, lol. there is time for fixing and there is time for breaking any vendor will tell you. There are never any flaws- they are not bugs, they're features! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How much time is appropriate for fixing a bug?
Thor (Hammer of God) t...@hammerofgod.com wrote: | Content-Type: multipart/mixed; boundary0734760750== Please stop posting anything but text/plain. If you really care about the security of the industry, then submit it and be done with it. If and when they fix it is up to them. OUCH!? The industry will (typically) not fix any error if the cost for fixing exceeds the loss (or revenue) that this fix creates, including the vendors gain/loss of reputation, gain/loss of stock value, loss of money in court cases or due to compensations, loss of (future) sales due to (dis-)satisfied customers, ... Joe Average can't tell the difference between a program which is designed, developed, built and maintained according to the state of the art, and some piece of crap that is not. He but only sees the (nice or promising) GUI of the product and it's price tag. Stefan Kanthak ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How much time is appropriate for fixing a bug?
On Sun, Jul 08, 2012 at 02:07:52PM +0200, Stefan Kanthak wrote: Thor (Hammer of God) t...@hammerofgod.com wrote: | Content-Type: multipart/mixed; boundary0734760750== Please stop posting anything but text/plain. If you really care about the security of the industry, then submit it and be done with it. If and when they fix it is up to them. OUCH!? The industry will (typically) not fix any error if the cost for fixing exceeds the loss (or revenue) that this fix creates, including the vendors gain/loss of reputation, gain/loss of stock value, loss of money in court cases or due to compensations, loss of (future) sales due to (dis-)satisfied customers, ... Joe Average can't tell the difference between a program which is designed, developed, built and maintained according to the state of the art, and some piece of crap that is not. He but only sees the (nice or promising) GUI of the product and it's price tag. Stefan Kanthak i agree that Thor is writing pure corporate crap. note that he is contradicting himself: in another thread he wrote basically people do stuff for money and getting laid. in this thread he is using the buzzwords self promotion/ ego-substantiation which don't appear to fit the above model of motivation and are certainly wrong for most members of FD. probably in the next thread he will use the buzzword irresponsible. i suppose in his glass house world he expects hackers to give the 0days to vendors and keep silent, busting vendors profits for free so they don't accused of the ego related irresponsible crimes. f*ck it, i expect the final usa crisis to partially fix the model. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How much time is appropriate for fixing a bug?
On Sun, 08 Jul 2012 14:07:52 +0200, Stefan Kanthak said: The industry will (typically) not fix any error if the cost for fixing exceeds the loss (or revenue) that this fix creates, including the vendors gain/loss of reputation, gain/loss of stock value, loss of money in court cases or due to compensations, loss of (future) sales due to (dis-)satisfied customers, ... Court cases? *Really*? When was the last time you saw a court case about defective COTS software? You see the occasional squabble regarding bespoke one-off developments, but your average shrink-wrapped EULA does a pretty good job of absolving the vendor from all blame, no matter how egregious the error. Oftentimes, they even manage to waive responsibility for the common-law concepts of merchantability or fitness for intended use. Joe Average can't tell the difference between a program which is designed, developed, built and maintained according to the state of the art, and some piece of crap that is not. That's OK. Those of us who do this for a living are *also* often hard-pressed to find any notable difference between state of the art and piece of crap, as they're about as close as the two level of a hyperfine transition of a cesium atom. pgpeuEX3RjkYX.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How much time is appropriate for fixing a bug?
Thor (Hammer of God) t...@hammerofgod.com wrote: I must not have articulated my point properly as it looks like we are both saying the same thing. No, we still disagree. What I was trying to convey was that if a person was actually concerned about the industry as opposed to self-promotion and ego-substantiation, then they would just notify the vendors and then get on with their lives irrespective of the vendors' ultimate remedy. CVE can be shut down? If bugs and vulnerabilities were not published there is a) no (or little) incentive for the industry to fix them b) no long term record to measure the quality of their products. As you say, there are any number of reasons why a vendor will or won't fix a bug, and/or when they will or won't fix it. As long as they don't fix known vulnerabilities and bugs their products are defective, and consumers can ask for a fix, a compensation or return the defective products and get their money back. The researcher will never know the requirements or considerations. There is no need to know the industries requirements or considerations. As long as they continue to ship products which have not been built according to the state of the art there is a need to push the industry but to do so. Software engineering was coined almost 45 years ago! In that respect, you have to trust the vendor - Cf. Ken Thompsons reflections on trusting trust. As long as nobody except the vendor knows their own design, test and build process there is no way of building trust ... except by judging the quality of their products and their response to vulnerability and bug reports. again, *IF* you are not concerned with self promotion. I'm but concerned about the lack of due diligence some vendors exercise when they build their products. Yes, bugs happen, and bugs get fixed. But some vendors make the same mistakes over and over again. Which can only lead to the following conclusions: a) they dont have control or oversight over their developers and their build processes. b) they dont care. When a vendor fixes a bug, why do people then post details on their find once it is patched? For recognition. Yes, for recognition of vulnerabilities and bugs, and for transparency, and for the sake of the market! Not all vendors publish their change logs and name the fixed vulnerabilities and bugs. Compare it to food watch or other activities to inform customers about the quality of industry products! Or just to create public opinion. I'm not saying there's anything wrong with it - I've done it myself, purely for the reason of getting some acknowledgment. I was just commenting on the honesty of Joro's fuck 'em comment. I think any more on the subject will just result in another flare-up of FD vs RD vs FO vs GGF, so I'll probably not spend too much more time on the thread - but please feel free to add whatever you may think I've missedS. Stefan On 7/8/12 5:07 AM, Stefan Kanthak stefan.kant...@nexgo.de wrote: Thor (Hammer of God) t...@hammerofgod.com wrote: | Content-Type: multipart/mixed; boundary0734760750== Please stop posting anything but text/plain. If you really care about the security of the industry, then submit it and be done with it. If and when they fix it is up to them. OUCH!? The industry will (typically) not fix any error if the cost for fixing exceeds the loss (or revenue) that this fix creates, including the vendors gain/loss of reputation, gain/loss of stock value, loss of money in court cases or due to compensations, loss of (future) sales due to (dis-)satisfied customers, ... Joe Average can't tell the difference between a program which is designed, developed, built and maintained according to the state of the art, and some piece of crap that is not. He but only sees the (nice or promising) GUI of the product and it's price tag. Stefan Kanthak ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How much time is appropriate for fixing a bug?
I'm not contradicting myself at all - in fact, *you* are the exact type of person I'm talking about. You couldn't give a rat's ass about the industry or anyone but yourself. Nothing you have ever done has been valuable to anyone other than you; it has been completely self-serving egotistical bullshit. So you found a few bugs in Explorer. Wow! CongratulationsŠ I'm sure your mommy is proud of little Joro. *ANYONE* could have found bugs in Explorer, and they did - you just did in it a full-blow look at me manner that ended up hurting more people than it helped (because it didn't help anyone). I'm amazed that you didn't burst into flame from the hypocritical charge of buzzwords. For the last 10 years or more, you've been the poster child of M$, Exploder, Windoze and any other number of 12-year-old-mentality buzzwords. The actual *facts* here are that you've never published *any* code of consequence (not that I've found) nor have you published and written works of any value. I've never seen any evidence of an actual job you have, or references of work that has contributed to the industry in any way. Yet you are a bitter critical of people who write code, you belittle people who publish, and you present yourself as an expert on corporate culture. In other words Georgi, you are completely full of shit. So yes, I stand by my [obviously tongue-in-cheek] statement of people do things for two reasons, to get paid or to get laid. You probably get both, but my guess is it is sourced within the same myopic scope of your world views. t On 7/9/12 3:20 AM, Georgi Guninski gunin...@guninski.com wrote: On Sun, Jul 08, 2012 at 02:07:52PM +0200, Stefan Kanthak wrote: Thor (Hammer of God) t...@hammerofgod.com wrote: | Content-Type: multipart/mixed; boundary0734760750== Please stop posting anything but text/plain. If you really care about the security of the industry, then submit it and be done with it. If and when they fix it is up to them. OUCH!? The industry will (typically) not fix any error if the cost for fixing exceeds the loss (or revenue) that this fix creates, including the vendors gain/loss of reputation, gain/loss of stock value, loss of money in court cases or due to compensations, loss of (future) sales due to (dis-)satisfied customers, ... Joe Average can't tell the difference between a program which is designed, developed, built and maintained according to the state of the art, and some piece of crap that is not. He but only sees the (nice or promising) GUI of the product and it's price tag. Stefan Kanthak i agree that Thor is writing pure corporate crap. note that he is contradicting himself: in another thread he wrote basically people do stuff for money and getting laid. in this thread he is using the buzzwords self promotion/ ego-substantiation which don't appear to fit the above model of motivation and are certainly wrong for most members of FD. probably in the next thread he will use the buzzword irresponsible. i suppose in his glass house world he expects hackers to give the 0days to vendors and keep silent, busting vendors profits for free so they don't accused of the ego related irresponsible crimes. f*ck it, i expect the final usa crisis to partially fix the model. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How much time is appropriate for fixing a bug?
Hello Full Disclosure!! !! !! Is like to warn you about George Guninski. Is cat is out is bag. Guninski is lame PoC char lamur = \xba\x1c\x00\x00\x00 \xb9\x00\x00\x00\x00 \xbb\x01\x00\x00\x00 \xb8\x04\x00\x00\x00 \xcd\x80\xb8\x01\x00 \x00\x00\xcd\x80 /* IS REAL SHELLCODE OLIVE BRANCH FOR YOU*/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How much time is appropriate for fixing a bug?
On Sat, Jul 07, 2012 at 12:30:09PM -0400, Kurt Ellzey wrote: vendors know better, the messenger is guilty. design flaws are hard and expensive to fix, lol. there is time for fixing and there is time for breaking any vendor will tell you. There are never any flaws- they are not bugs, they're features! There are no significant bugs in our released software that any significant number of users want fixed. … I'm saying we don't do a new version to fix bugs. We don't. Not enough people would buy it. You can take a hundred people using Microsoft Word. Call them up and say Would you buy a new version because of bugs? You won't get a single person to say they'd buy a new version because of bugs. We'd never be able to sell a release on that basis. Focus Magazine No. 43 (23 October 1995) http://en.wikiquote.org/wiki/Bill_Gates ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How much time is appropriate for fixing a bug?
Wikipedia says 5 months: http://en.wikipedia.org/wiki/Responsible_disclosure Well, the encyclopedia has spoken. So it's settled then. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How much time is appropriate for fixing a bug?
On Sun, Jul 8, 2012 at 1:05 PM, Michal Zalewski lcam...@coredump.cx wrote: Wikipedia says 5 months: http://en.wikipedia.org/wiki/Responsible_disclosure Well, the encyclopedia has spoken. So it's settled then. :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How much time is appropriate for fixing a bug?
On Fri, Jul 06, 2012 at 01:24:44PM -0400, Peter Dawson wrote: Thor (Hammer of God) : If and when they fix it is up to them. so if vendor don't fix it /ack the bug.. then what ?? Responsibility works both ways.. Advise the vendor.. if they say fuck it.. I say fuck u.. and will advise the community ! There is a responsibility to disclose a venerability to the community so that they can take down/block /deactivate a service . .All that is necessary for the triumph of evil is that good men do nothing. -whoever ..fuck it ! /pd vendors know better, the messenger is guilty. design flaws are hard and expensive to fix, lol. there is time for fixing and there is time for breaking any vendor will tell you. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How much time is appropriate for fixing a bug?
there is time for fixing and there is time for breaking Ecclesiastes in the Hacker's Bible? :0 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How much time is appropriate for fixing a bug?
Realistically, it will take at least a month to go from security to development through QA and release (in your case probably twice, because it may have to go through the carrier's QA/release). Wikipedia says 5 months: http://en.wikipedia.org/wiki/Responsible_disclosure - Philipp On 07/04/2012 10:49 PM, Jann Horn wrote: After having reported a security-relevant bug about a smartphone, how long would you wait for the vendor to fix it? What are typical times? I remember telling someone about a security-relevant bug in his library some time ago - he fixed it and published the fixed version within ten minutes. On the other hand, I often see mails on bugtraq or so in which the given dates show that the vendor took maybe a year or so to fix the issue... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How much time is appropriate for fixing a bug?
On Wed, Jul 04, 2012 at 10:49:18PM +0200, Jann Horn wrote: After having reported a security-relevant bug about a smartphone, how long would you wait for the vendor to fix it? What are typical times? I remember telling someone about a security-relevant bug in his library some time ago - he fixed it and published the fixed version within ten minutes. On the other hand, I often see mails on bugtraq or so in which the given dates show that the vendor took maybe a year or so to fix the issue... when i was young i asked a similar question. if you ask me now, the short answer is fuck them, if you are killing a bug the time is completely up to you. responsible disclosure is just a buzzword (the RFC on it failed). you have bugs, they don't have. -- good luck ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How much time is appropriate for fixing a bug?
Hey Georgi, Didn't take your happy pill this morning? I would say that the answer depends on how the owner/company answers you, if you feel that their stringing you along and you have given them some time, then warn them that your publishing, give them 24 hours and then go for it. Obviously it depends on the bug and the software, I major bug in a large program will take longer, and so long as they are talking to you, and you don't miss your morning happy pill, you can wait, a small bug in a small program shouldn't take as long. There is no one answer to your question, if you are having an interactive discussion with them, then be patient, otherwise, Georgi's answer is a good one if they are ignoring you or stringing you along. Gary B On 07/06/2012 10:33 AM, Georgi Guninski wrote: On Wed, Jul 04, 2012 at 10:49:18PM +0200, Jann Horn wrote: After having reported a security-relevant bug about a smartphone, how long would you wait for the vendor to fix it? What are typical times? I remember telling someone about a security-relevant bug in his library some time ago - he fixed it and published the fixed version within ten minutes. On the other hand, I often see mails on bugtraq or so in which the given dates show that the vendor took maybe a year or so to fix the issue... when i was young i asked a similar question. if you ask me now, the short answer is fuck them, if you are killing a bug the time is completely up to you. responsible disclosure is just a buzzword (the RFC on it failed). you have bugs, they don't have. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How much time is appropriate for fixing a bug?
Well, I have to say, at least he's being honest. If the guy is chomping at the bit to release the info so he can get some attention, then let him. That, of course, is what it is all about. He's not releasing the info so that the community can be safe by forcing the vendor to fix it. He's doing it so people can see how smart he is and that he found some bug. So Joro's reply of fuck em is actually refreshingly honest. Regarding how long does it take, it is completely impossible to tell. If someone fixed it in 10 minutes, good for them. It could take someone else 10 months. Any time I see things like Wikipedia advising things like 5 months I have to lol. They have no freaking idea whatsoever as to the company's dev processes and the extend that the fix could impact legacy code or any number of other factors. I would actually have expected code bug-finders to have a better clue about these things, but apparently they don't. MSFT's process is nuts – they have SO many dependancies, so many different products with shared code, so many legacy products, so many vendors with drivers and all manner of other stuff that the process is actually quite difficult and time consuming. Oracle is worse – they have the same but multiplied by x platforms. Apple I think has it the easiest of the big ones, but even OSX is massively complex (and completely awesome). It is all about intent: if you want to be recognized publicly for some fame or whatever, just FD it because chances are you will anyway. If you really care about the security of the industry, then submit it and be done with it. If and when they fix it is up to them. t From: Gary Baribault g...@baribault.netmailto:g...@baribault.net Date: Friday, July 6, 2012 7:59 AM To: full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] How much time is appropriate for fixing a bug? Hey Georgi, Didn't take your happy pill this morning? I would say that the answer depends on how the owner/company answers you, if you feel that their stringing you along and you have given them some time, then warn them that your publishing, give them 24 hours and then go for it. Obviously it depends on the bug and the software, I major bug in a large program will take longer, and so long as they are talking to you, and you don't miss your morning happy pill, you can wait, a small bug in a small program shouldn't take as long. There is no one answer to your question, if you are having an interactive discussion with them, then be patient, otherwise, Georgi's answer is a good one if they are ignoring you or stringing you along. Gary B On 07/06/2012 10:33 AM, Georgi Guninski wrote: On Wed, Jul 04, 2012 at 10:49:18PM +0200, Jann Horn wrote: After having reported a security-relevant bug about a smartphone, how long would you wait for the vendor to fix it? What are typical times? I remember telling someone about a security-relevant bug in his library some time ago - he fixed it and published the fixed version within ten minutes. On the other hand, I often see mails on bugtraq or so in which the given dates show that the vendor took maybe a year or so to fix the issue... when i was young i asked a similar question. if you ask me now, the short answer is fuck them, if you are killing a bug the time is completely up to you. responsible disclosure is just a buzzword (the RFC on it failed). you have bugs, they don't have. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How much time is appropriate for fixing a bug?
Thor (Hammer of God) : If and when they fix it is up to them. so if vendor don't fix it /ack the bug.. then what ?? Responsibility works both ways.. Advise the vendor.. if they say fuck it.. I say fuck u.. and will advise the community ! There is a responsibility to disclose a venerability to the community so that they can take down/block /deactivate a service . .All that is necessary for the triumph of evil is that good men do nothing. -whoever ..fuck it ! /pd On Fri, Jul 6, 2012 at 12:46 PM, Thor (Hammer of God) t...@hammerofgod.comwrote: Well, I have to say, at least he's being honest. If the guy is chomping at the bit to release the info so he can get some attention, then let him. That, of course, is what it is all about. He's not releasing the info so that the community can be safe by forcing the vendor to fix it. He's doing it so people can see how smart he is and that he found some bug. So Joro's reply of fuck em is actually refreshingly honest. Regarding how long does it take, it is completely impossible to tell. If someone fixed it in 10 minutes, good for them. It could take someone else 10 months. Any time I see things like Wikipedia advising things like 5 months I have to lol. They have no freaking idea whatsoever as to the company's dev processes and the extend that the fix could impact legacy code or any number of other factors. I would actually have expected code bug-finders to have a better clue about these things, but apparently they don't. MSFT's process is nuts – they have SO many dependancies, so many different products with shared code, so many legacy products, so many vendors with drivers and all manner of other stuff that the process is actually quite difficult and time consuming. Oracle is worse – they have the same but multiplied by x platforms. Apple I think has it the easiest of the big ones, but even OSX is massively complex (and completely awesome). It is all about intent: if you want to be recognized publicly for some fame or whatever, just FD it because chances are you will anyway. If you really care about the security of the industry, then submit it and be done with it. If and when they fix it is up to them. t From: Gary Baribault g...@baribault.net Date: Friday, July 6, 2012 7:59 AM To: full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] How much time is appropriate for fixing a bug? Hey Georgi, Didn't take your happy pill this morning? I would say that the answer depends on how the owner/company answers you, if you feel that their stringing you along and you have given them some time, then warn them that your publishing, give them 24 hours and then go for it. Obviously it depends on the bug and the software, I major bug in a large program will take longer, and so long as they are talking to you, and you don't miss your morning happy pill, you can wait, a small bug in a small program shouldn't take as long. There is no one answer to your question, if you are having an interactive discussion with them, then be patient, otherwise, Georgi's answer is a good one if they are ignoring you or stringing you along. Gary B On 07/06/2012 10:33 AM, Georgi Guninski wrote: On Wed, Jul 04, 2012 at 10:49:18PM +0200, Jann Horn wrote: After having reported a security-relevant bug about a smartphone, how long would you wait for the vendor to fix it? What are typical times? I remember telling someone about a security-relevant bug in his library some time ago - he fixed it and published the fixed version within ten minutes. On the other hand, I often see mails on bugtraq or so in which the given dates show that the vendor took maybe a year or so to fix the issue... when i was young i asked a similar question. if you ask me now, the short answer is fuck them, if you are killing a bug the time is completely up to you. responsible disclosure is just a buzzword (the RFC on it failed). you have bugs, they don't have. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How much time is appropriate for fixing a bug?
I already covered that – if they don't fix it, the publish it. Also, if a vendor has a venerability to the community, then they would obviously fix it. There's no responsibility to disclose anything. FD doesn't exist to satisfy some requirement for researchers to publish vulnerability – it exists so that people can market themselves. The we must disclose this so that people will know and they can protect themselves is simply a justification for the aforementioned.These people don't give a fat fuck about the industry or protecting other people. If they did, they would just post hey, there's a vuln in this product, email me and I'll tell you about it. When no-one emails them (because this limited audience doesn't care) they don't get their deserved cred and post it. Nobody cares, and nobody remembers… his FD will simply be another tit in the peep show. People like 0DayInit and Litchfield did it the SMART way. They have a client base who have purchased a product to protect them from these vulnerabilities. People who purchase the product are protected in the meantime, as the vuln is actually addressed in the product. It actually works in their favor of the vendor to take longer as it makes the product more valuable. Vendors want responsible disclosure so they can assign priority to plan release cadence. Disclosures want recognition, or payment, or both. Each will do what is in their own best interest. But let's not pretend it is anything other than what it is. t From: Peter Dawson slash...@gmail.commailto:slash...@gmail.com Date: Friday, July 6, 2012 10:24 AM To: Timothy Mullen t...@hammerofgod.commailto:t...@hammerofgod.com Cc: full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] How much time is appropriate for fixing a bug? Thor (Hammer of God) : If and when they fix it is up to them. so if vendor don't fix it /ack the bug.. then what ?? Responsibility works both ways.. Advise the vendor.. if they say fuck it.. I say fuck u.. and will advise the community ! There is a responsibility to disclose a venerability to the community so that they can take down/block /deactivate a service . .All that is necessary for the triumph of evil is that good men do nothing. -whoever ..fuck it ! /pd On Fri, Jul 6, 2012 at 12:46 PM, Thor (Hammer of God) t...@hammerofgod.commailto:t...@hammerofgod.com wrote: Well, I have to say, at least he's being honest. If the guy is chomping at the bit to release the info so he can get some attention, then let him. That, of course, is what it is all about. He's not releasing the info so that the community can be safe by forcing the vendor to fix it. He's doing it so people can see how smart he is and that he found some bug. So Joro's reply of fuck em is actually refreshingly honest. Regarding how long does it take, it is completely impossible to tell. If someone fixed it in 10 minutes, good for them. It could take someone else 10 months. Any time I see things like Wikipedia advising things like 5 months I have to lol. They have no freaking idea whatsoever as to the company's dev processes and the extend that the fix could impact legacy code or any number of other factors. I would actually have expected code bug-finders to have a better clue about these things, but apparently they don't. MSFT's process is nuts – they have SO many dependancies, so many different products with shared code, so many legacy products, so many vendors with drivers and all manner of other stuff that the process is actually quite difficult and time consuming. Oracle is worse – they have the same but multiplied by x platforms. Apple I think has it the easiest of the big ones, but even OSX is massively complex (and completely awesome). It is all about intent: if you want to be recognized publicly for some fame or whatever, just FD it because chances are you will anyway. If you really care about the security of the industry, then submit it and be done with it. If and when they fix it is up to them. t From: Gary Baribault g...@baribault.netmailto:g...@baribault.net Date: Friday, July 6, 2012 7:59 AM To: full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.ukmailto:full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] How much time is appropriate for fixing a bug? Hey Georgi, Didn't take your happy pill this morning? I would say that the answer depends on how the owner/company answers you, if you feel that their stringing you along and you have given them some time, then warn them that your publishing, give them 24 hours and then go for it. Obviously it depends on the bug and the software, I major bug in a large program will take longer, and so long as they are talking to you, and you don't miss your morning
Re: [Full-disclosure] How much time is appropriate for fixing a bug?
On 7/6/12 1:48 PM, Thor (Hammer of God) wrote: I already covered that -- if they don't fix it, the publish it. Also, if a vendor has a venerability to the community, then they would obviously fix it. There's no responsibility to disclose anything. FD doesn't exist to satisfy some requirement for researchers to publish vulnerability -- it exists so that people can market themselves. The we must disclose this so that people will know and they can protect themselves is simply a justification for the aforementioned.These people don't give a fat fuck about the industry or protecting other people. If they did, they would just post hey, there's a vuln in this product, email me and I'll tell you about it. When no-one emails them (because this limited audience doesn't care) they don't get their deserved cred and post it. Nobody cares, and nobody remembers... his FD will simply be another tit in the peep show. People like 0DayInit and Litchfield did it the SMART way. They have a client base who have purchased a product to protect them from these vulnerabilities. People who purchase the product are protected in the meantime, as the vuln is actually addressed in the product. It actually works in their favor of the vendor to take longer as it makes the product more valuable. Vendors want responsible disclosure so they can assign priority to plan release cadence. Disclosures want recognition, or payment, or both. Each will do what is in their own best interest. But let's not pretend it is anything other than what it is. t From: Peter Dawson slash...@gmail.com mailto:slash...@gmail.com Date: Friday, July 6, 2012 10:24 AM To: Timothy Mullen t...@hammerofgod.com mailto:t...@hammerofgod.com Cc: full-disclosure@lists.grok.org.uk mailto:full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk mailto:full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] How much time is appropriate for fixing a bug? Thor (Hammer of God) : If and when they fix it is up to them. so if vendor don't fix it /ack the bug.. then what ?? Responsibility works both ways.. Advise the vendor.. if they say fuck it.. I say fuck u.. and will advise the community ! There is a responsibility to disclose a venerability to the community so that they can take down/block /deactivate a service . .All that is necessary for the triumph of evil is that good men do nothing. -whoever ..fuck it ! /pd On Fri, Jul 6, 2012 at 12:46 PM, Thor (Hammer of God) t...@hammerofgod.com mailto:t...@hammerofgod.com wrote: Well, I have to say, at least he's being honest. If the guy is chomping at the bit to release the info so he can get some attention, then let him. That, of course, is what it is all about. He's not releasing the info so that the community can be safe by forcing the vendor to fix it. He's doing it so people can see how smart he is and that he found some bug. So Joro's reply of fuck em is actually refreshingly honest. Regarding how long does it take, it is completely impossible to tell. If someone fixed it in 10 minutes, good for them. It could take someone else 10 months. Any time I see things like Wikipedia advising things like 5 months I have to lol. They have no freaking idea whatsoever as to the company's dev processes and the extend that the fix could impact legacy code or any number of other factors. I would actually have expected code bug-finders to have a better clue about these things, but apparently they don't. MSFT's process is nuts -- they have SO many dependancies, so many different products with shared code, so many legacy products, so many vendors with drivers and all manner of other stuff that the process is actually quite difficult and time consuming. Oracle is worse -- they have the same but multiplied by x platforms. Apple I think has it the easiest of the big ones, but even OSX is massively complex (and completely awesome). It is all about intent: if you want to be recognized publicly for some fame or whatever, just FD it because chances are you will anyway. If you really care about the security of the industry, then submit it and be done with it. If and when they fix it is up to them. t From: Gary Baribault g...@baribault.net mailto:g...@baribault.net Date: Friday, July 6, 2012 7:59 AM To: full-disclosure@lists.grok.org.uk mailto:full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk mailto:full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] How much time is appropriate for fixing a bug? Hey Georgi, Didn't take your happy pill this morning? I would say that the answer depends on how the owner/company answers you, if you feel that their stringing you along and
Re: [Full-disclosure] How much time is appropriate for fixing a bug?
That's about what I was saying, assuming that the one who found the bug isn't into instant gratification, and the vendor is playing ball communicating and you feel that they are really working on it, then sit on it, you'll get your 15 minutes a little later. If the vendor is stone walling or you don't think they are really working on it, then publish, that will get them off the dime! Gary Baribault Courriel: g...@baribault.net GPG Key: 0x685430d1 Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 On 07/06/2012 01:24 PM, Peter Dawson wrote: Thor (Hammer of God) : If and when they fix it is up to them. so if vendor don't fix it /ack the bug.. then what ?? Responsibility works both ways.. Advise the vendor.. if they say fuck it.. I say fuck u.. and will advise the community ! There is a responsibility to disclose a venerability to the community so that they can take down/block /deactivate a service . .All that is necessary for the triumph of evil is that good men do nothing. -whoever ..fuck it ! /pd On Fri, Jul 6, 2012 at 12:46 PM, Thor (Hammer of God) t...@hammerofgod.com mailto:t...@hammerofgod.com wrote: Well, I have to say, at least he's being honest. If the guy is chomping at the bit to release the info so he can get some attention, then let him. That, of course, is what it is all about. He's not releasing the info so that the community can be safe by forcing the vendor to fix it. He's doing it so people can see how smart he is and that he found some bug. So Joro's reply of fuck em is actually refreshingly honest. Regarding how long does it take, it is completely impossible to tell. If someone fixed it in 10 minutes, good for them. It could take someone else 10 months. Any time I see things like Wikipedia advising things like 5 months I have to lol. They have no freaking idea whatsoever as to the company's dev processes and the extend that the fix could impact legacy code or any number of other factors. I would actually have expected code bug-finders to have a better clue about these things, but apparently they don't. MSFT's process is nuts – they have SO many dependancies, so many different products with shared code, so many legacy products, so many vendors with drivers and all manner of other stuff that the process is actually quite difficult and time consuming. Oracle is worse – they have the same but multiplied by x platforms. Apple I think has it the easiest of the big ones, but even OSX is massively complex (and completely awesome). It is all about intent: if you want to be recognized publicly for some fame or whatever, just FD it because chances are you will anyway. If you really care about the security of the industry, then submit it and be done with it. If and when they fix it is up to them. t From: Gary Baribault g...@baribault.net mailto:g...@baribault.net Date: Friday, July 6, 2012 7:59 AM To: full-disclosure@lists.grok.org.uk mailto:full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk mailto:full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] How much time is appropriate for fixing a bug? Hey Georgi, Didn't take your happy pill this morning? I would say that the answer depends on how the owner/company answers you, if you feel that their stringing you along and you have given them some time, then warn them that your publishing, give them 24 hours and then go for it. Obviously it depends on the bug and the software, I major bug in a large program will take longer, and so long as they are talking to you, and you don't miss your morning happy pill, you can wait, a small bug in a small program shouldn't take as long. There is no one answer to your question, if you are having an interactive discussion with them, then be patient, otherwise, Georgi's answer is a good one if they are ignoring you or stringing you along. Gary B On 07/06/2012 10:33 AM, Georgi Guninski wrote: On Wed, Jul 04, 2012 at 10:49:18PM +0200, Jann Horn wrote: After having reported a security-relevant bug about a smartphone, how long would you wait for the vendor to fix it? What are typical times? I remember telling someone about a security-relevant bug in his library some time ago - he fixed it and published the fixed version within ten minutes. On the other hand, I often see mails on bugtraq or so in which the given dates show that the vendor took maybe a year or so to fix the issue... when i was young i asked a similar question. if you ask me now, the short answer is fuck them, if you are killing a bug the time is completely up to you.