Jan Wieck wrote:
> On 1/30/2005 10:18 AM, Peter Eisentraut wrote:
>
>> Dawid Kuroczko wrote:
>>
>>> I think it is in good taste that when you find a
>>> bug/vulnerability/etc first you contact the author (in this case:
>>> core), leave them some time to fix the problem and then go on
>>> announcing it to the
>>> world.
>>
>>
>> In this case, core is not the author of the object in question. And
>> of course, to report a "bug/vulnerability/etc" you would write to
>> pgsql-bugs, not core.
>>
>
> No, Peter.
>
> Posting a vulnerability on a public mailing list "before" there is a
> known fix for it means that you put everyone who has that vulnerability
> into jeopardy. Vulnerabilities are a special breed of bugs and need to
> be exterminated a little different.
>
>
> Jan
>
ain't that the truth.
if a vulnerability is found, try to find a fix, or work around, post it
privately to the developer, give them an opportunity to get it fixed
before going public.
when dealing with open souurce, this system works great.
when dealing with proprietary / closed source [ specifically microsoft ]
expect that it's the public announcement that's going to start them
doing something about it.
I personally would only give ms a week at most to fix the problem before
going public.
since open source if usually fixed in that time frame.
Jaqui
