On 1/24/07, Christian Kujau <lists@xxxxxxxxxxxxxxx> wrote:
On Wed, 24 Jan 2007, zdi-disclosures@xxxxxxxx wrote: > -- Disclosure Timeline: > 2005.07.07 - Pre-exiting Digital Vaccine released to TippingPoint > customers > 2006.10.02 - Vulnerability reported to vendor > 2007.01.24 - Coordinated public release of advisory out of curiosity: why took it 1+ year to report this vulneralbility to the vendor?
Where do you see 1+ year? *Pre-existing* means there already existed a "vaccine" that blocked vulnerabilities of this type released in '05. This does not necessarily mean that was when ZDI received the bug submission. So it was reported to the vendor in October and released to the public in January... 4 months is not an outstanding patch time.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/