PGP 8.0 released today
Thu Dec 5 11:16:06 2002
On Wed, 4 Dec 2002, Johan Wevers wrote:
> And when you find a bug you have to report it to them only, and are only
> allowed to publish it openly 30 days after you report it to them. So since
> you are officially (unofficially you change it yourself of course when you
> know how, AND when they release the complete source) not allowed to
> distribute any changed versions they want 30 days security by obscurity. :-(
That is more than reasonable.
Speaking as the person who had to test the ADK vulnerability fixes for
over a dozen different platforms and multiple products, having zero lead
time for vulnerability correction makes that process rather painful.
I am a firm believer in full disclosure. However, giving a vendor a
reasonable time period in which to evaluate the threat, produce a fix, and
distribute it to customers should be standard practice.