On Tue, 07 Aug 2007 17:46:51 EDT, Jared DeMott said: > vendor. I was thinking that this would be ideal since the vendor would > have the most interest in knowing about/fixing the bug. That's a dubious statement at best. What a commercial vendor is interested in is minimizing their *total cost* of providing whatever level of security they do. As a result, unless the bad press starts impacting product sales, the *best* stance is "stick head in sand and pretend it's bulletproof". Second best is "issue lots of press releases saying we're dedicated to security". Actually spending the big bucks to make the product secure is a *distant* third. And the instant they actually *buy* a byg report, they've lost all semblance of plausible deniability. "D'Oh! somebody reported it in our bugzilla but we overlooked it" doesn't work if you've obviously *not* overlooked it to the point of writing the submitter an actual check.
Attachment:
pgpKF766X4eth.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/