On Wed, Jan 16, 2002 at 07:01:24PM -0800, Josha Bronson said: > So, what would you do? Thank you to everyone for all your valuable opinions. I've gotten a lot of really great feedback on and off the list. I do use the RFPolicy as a guideline when disclosing security issues. I find that the policy outlined in that document is both fair and firm. I encourage everyone to read it if they have not. We have decided to work with a private security research group that has generously offered to help on creating an exploit. I'm confident that with their assistance we should be able to make a determination as to wether the issue can result in execution of code. I've alerted the vendor that research is continuing, and we will keep them posted on our findings. I've also stated to them that from the date we send them our final results we will wait for a period of two weeks until we make our findings public, fix or no fix. Two weeks may seem like a short time, but the vendor has been aware of this issue since early January. Thanks again to all who replied for your input. Cheers and happy new year, -- Josha Bronson dmuzat_private AngryPacket Security
This archive was generated by hypermail 2b30 : Sat Jan 19 2002 - 11:13:15 PST