With the bit of talk of notifying vendors in the past day or two, I thought I might throw in my $0.02 and how I do things. Notification and how long you wait for response should be dependant on usage of the software. For example, the WU-FTPD hole in 2.5.0. No exploit has been released to date, even though 2.6.0 is out. Its a widespread package that would affect a LOT of systems if the exploit was just tossed out without giving the vendors time to come up with at least a temporary fix better than "disable FTP". I believe that notification is _almost_ always necessary (except in rare cases like my Alibaba CGI bugs, because Alibaba had already demonstrated their lack of interest in security of their software). So basically what I'm trying to say is the time you wait for a response from the vendor (and/or a patch released) should depend on the severity of the hole and how widespread it will be. -Kerb-
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:13:25 PDT