it's all about timing

[full-disclosure () lists netsys com (Moyer, Shawn)]

Comments inline. cc: to that "other" list deleted.

> Sure, HP's response has been harsh. But every security problem
> (especially when it's accompanied by an exploit) should be reported
> first to the vendor! There should be no exception from this rule. The
> person doing the reporting should give the vendor a 
> reasonable period of
> time to fix it; say, a few weeks or so.
>
> Only if the vendor does nothing in these weeks, only then the
> report/exploit/whatever should be made public.

Riiight.... Great. But according to the (now-yanked) CNet article, Snosoft
started talked to HP *this spring*, and HP sat on their hands. So, if the
vendor gets several months notice, does exactly jack squat, and then the
vuln. leaks somehow, who do you blame? As Paul S. pointed out, nothing is
black and white, it's all just shades of grey. Me, I blame the vendor. For
fsck's sake, this thing works with a no-exec stack! How sad is that? And
these dorks wanted months and months to fix it? Who do they think they are,
ISC? [ ^_^ ] Sure, it shouldn't have leaked, but exactly how long *were*
they going to let every OSF/1 box out there be a sitting duck? At least now
I know to chmod 750 /bin/su and chown it root:wheel (a good practice
anyway). 



--shawn