[VIM] interesting thought
Mark J Cox
mjc at redhat.com
Sat May 20 04:45:13 EDT 2006
> Do you mean "widely public" or "technically public" or some other
Probably a third definition of "'obviously a security issue' public". So
if something hits a vaguely obscure but open list (like an Apache
developers list of the linux kernel mailing list) where it's at least
obvious to an engineer it's a security issue then we'll count that date.
There have been a few cases where something has been entered into the
Apache httpd bugzilla, for example, but it wasn't until some point in the
future that one of the Apache engineers figured out it had security
implications -- in which cse we'll choose the date that the engineer
figured out it had security implications.
> Bug reports are still difficult, because the bug might have been marked
> private, then made public sometime when the fix was made available. So
> you don't even know when it was technically public.
This was the big problem we had when arguing some dates from one of those
Microsoft sponsored days of risk reports a few years ago - the research
firm wanted proof that in each case the issue had been private and later
made public. Fortunately almost all of them we were able to get the
history as bugzilla does keep a history.
Actually I wish someone like MITRE published the dates (for any definition
of date), it would save us lots of time and improve our accuracy.
More information about the VIM