[VIM] recent ZDI advisories and "coordinated"
security curmudgeon
jericho at attrition.org
Sat Apr 16 02:34:49 CDT 2011
Hi ZDI,
Your recent change in disclosure policy has you releasing advisories after
a set amount of time, even if a vendor has not provided a patch.
However, it seems that you are still using your advisory templates without
updating them. Specifically, you are still calling these "coordinated
disclosures" when they don't seem to be.
As an example:
http://zerodayinitiative.com/advisories/ZDI-11-044/
2011-02-07 - Coordinated public release of advisory
Patched April 12, 2011
http://www.microsoft.com/technet/security/Bulletin/MS11-022.mspx
That is a two month window when there was no vendor patch available. This
is not the generally accepted definition of "coordinated". Could you
please clarify?
Brian
OSVDB.org
More information about the VIM
mailing list