mailing list archives
Disclosure timelines from vendors - a promising practice?
From: "Steven M. Christey" <coley () mitre org>
Date: Wed, 14 Dec 2005 14:35:57 -0500 (EST)
I was just browsing the Red Hat bug report for the mod_imap XSS issue
In it, they included a disclosure timeline (possibly from Apache, this
is not clear).
I've only seen a handful of disclosure timelines by a vendor. But in
my opinion, it should be more widely adopted by those who want to
assure their customers that they respond quickly to vulnerabilities.
A vendor who responds quickly and effectively to security reports
would want to "advertise" this fact, I would think.
In this particular case, the timeline shows that the Apache Software
Foundation was ready to coordinate on a release shortly after initial
notification, but there were additional delays due to a coordination
Recently, large-scale comparative analyses on vulnerabilities have
emphasized the publication-to-patch portion of the disclosure window.
But the "known window of exposure" is actually notification-to-patch,
which can be much longer. Most top researchers include timelines that
would help provide this data, but it would be great to see more of
this from vendors.
P.S. In general, disclosure timelines can make interesting reading.
They are highly informative about the twists and turns of the
- Disclosure timelines from vendors - a promising practice? Steven M. Christey (Dec 14)