> Just because a company can't tell you immediately when a bug will be > fixed, you say that you are being ignored and see fit to release an > advisory? Do you have any idea how easy the problem will be to fix? > Probably not, and I bet IBM would have to do some research first, finding > out what code contains the problem, allocating developers, build > personnel, and QA the fix before even they know when a fix will be out. > Sheesh. well, as I read it, he hasn't had any contact beyond an initial "we will look at it" for a month. a month is a long time for an outstanding vunerability if it becomes public knowledge. Surely he deserves to be at least "kept in the loop" and get replies to status queries, if only to be told the email address of an engineer the problem has been assigned to? I would question exactly how much time a noncomittal "we will look at it" followed up by ignoring further emails on the subject should buy a company - a month is a reasonable time for a vunerability to be at least confirmed and the engineer responsible to contact the person submitting the report and ask for a longer extension to get a patch ready; much longer and it could be a case of the company just dropping the matter and hoping it gets fixed in the next major release, which we have all seen before.
This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 12:50:59 PDT