[25915] in bugtraq
Re: ISS Advisory clarification
daemon@ATHENA.MIT.EDU (Michael Stone)
Fri Jun 21 19:28:49 2002
Date: Fri, 21 Jun 2002 19:07:38 -0400
From: Michael Stone <mstone@cs.loyola.edu>
To: "'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com>
Message-ID: <20020621190738.B5065@justice.loyola.edu>
Mail-Followup-To: "'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <F3E7C024F0FD4E44BC78DB62CEBC1613569C@atlmaiexcp02.iss.local>; from CKlaus@iss.net on Fri, Jun 21, 2002 at 04:15:53PM -0400
On Fri, Jun 21, 2002 at 04:15:53PM -0400, Klaus, Chris (ISSAtlanta) wrote:
> 1) We did notify Apache before going public. ISS X-Force emailed
> Apache in the morning at 9:44am regarding this Advisory. We waited until
> the afternoon before sending to Bugtraq for approval and finally reaching
[snip]
> We are currently working with another major vulnerability dealing with
> an open-source vendor whereby we both are coordinating and cooperating
> and shrinking the 30 day quiet period significantly
Well, I can't argue that a couple of hours isn't significantly shorter
than 30 days. I do think it's still somewhat unclear why this second
"open-source vendor" gets the courtesy of coordination and cooperation,
but the apache group got effectively blindsided.
If anything, your second "clarification" seems to contradict your first
"response" that the apache project couldn't be trusted with
coordination, "due to the general nature of open-source."
This seems more like 'obfuscation' and 'covering' than 'clarification'.
--
Mike Stone
