[VIM] interesting thought

Mark J Cox mjc at redhat.com
Sat May 20 04:45:13 EDT 2006

> Do you mean "widely public" or "technically public" or some other
> definition?

Probably a third definition of "'obviously a security issue' public".  So 
if something hits a vaguely obscure but open list (like an Apache 
developers list of the linux kernel mailing list) where it's at least 
obvious to an engineer it's a security issue then we'll count that date. 
There have been a few cases where something has been entered into the 
Apache httpd bugzilla, for example, but it wasn't until some point in the 
future that one of the Apache engineers figured out it had security 
implications -- in which cse we'll choose the date that the engineer 
figured out it had security implications.

> Bug reports are still difficult, because the bug might have been marked
> private, then made public sometime when the fix was made available.  So
> you don't even know when it was technically public.

This was the big problem we had when arguing some dates from one of those 
Microsoft sponsored days of risk reports a few years ago - the research 
firm wanted proof that in each case the issue had been private and later 
made public.  Fortunately almost all of them we were able to get the 
history as bugzilla does keep a history.

Actually I wish someone like MITRE published the dates (for any definition 
of date), it would save us lots of time and improve our accuracy.


Cheers, Mark

More information about the VIM mailing list