[VIM] Responsible Disclosure Article

[security curmudgeon]

Hey Bill,

: 1. Vendors need time to find, address, and fix the problem. During this 
: period all systems all vulnerable, which seems to be alright assuming 
: the researcher is the only one who knows about the vulnerability. So, 
: how often do you think this assumption is false? Let's take the most 
: recent Apple advisory for QuickTime (APPLE-SA-2006-05-11) - for 
: CVE-2006-1249 concerning the integer overflow in FlashPix images, Apple 
: credits two different, probably independent researchers. If two people 
: reported to Apple how can we be certain that no one else is already 
: active exploiting it?

On my overly long, overly backed up 'todo' list..

I noticed a year or two ago that some of the big vendors (I think it was 
'Real' originally) were reporting multiple researchers discovered an issue 
in the advisory. This made me wonder how often that occured, where 
multiple creditees were recognized for a big issue. I had planned to dig 
into that more for a blog piece, then give a firm challenge to 
anyone/everyone to prove me wrong when I said that just because someone 
'privately' reported a vuln to a vendor (MS loves that term), doesn't mean 
that bad guys aren't currently abusing the same issue. If two researchers 
(or more) can find the same bug, and both can sit on it for months at a 
time.. then we would be stupid to believe it stopped there.