Home page logo

bugtraq logo Bugtraq mailing list archives

Re: ISS Apache Advisory Response
From: Mike Eldridge <diz () cafes net>
Date: Fri, 21 Jun 2002 18:23:30 -0500

On Thu, Jun 20, 2002 at 06:06:03PM -0400, Klaus, Chris (ISSAtlanta) wrote:
There has been a lot of misinformation spread about our ISS Apache Advisory
and wanted to clean up any confusion and misunderstanding.
1)      Our policy for publishing advisories is to give a vendor 30 to 45
day quiet period to provide an opportunity to create a patch or work around.
If an exploit for the vulnerability appears in the wild, or a patch and
work-around is provided by the vendor or ISS X-Force, this quiet period is
disregarded and the ISS X-Force advisory is published immediately.
In the case of this advisory, ISS X-Force provided an Apache patch and did
not see a need for a long quiet period.

this is a poor justification and is showing extreme disrespect to the
apache project.

if there was a hole in my software package abc, responsibility for
closing the hole is up to *me*, not you.  i would find it extremely
disrespectful and irresponsible if you released an advisory and provided
your *own* patch for it, no matter if it closed the hole or not.

what if your patch caused more problems than it fixed, which is possible
since it's extremely doubtful that you would have more intimate
knowledge of the project than the principal developers do.

the responsibility is the developers', not yours.


   /~\  the ascii                         subvert the dominant paradigm
   \ /  ribbon campaign
    X   against html
   / \  email!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]