[VIM] new strategy for dealing with pesky vulnerabilities

J.M. Seitz jms at bughunter.ca
Mon Oct 8 16:38:23 UTC 2007

Hash: SHA1

Is it any wonder that the faith in responsible disclosure is waning? Who
are you protecting by giving this to a company like HP and praying to
the Greek goddess Vulnerabilica and hoping they will fix it. Meanwhile,
if after 6 months you drop a 0-day because they haven't done anything,
they might just move on it. But then of course you get absolutely flamed
for being a black-hat.....oh well its Thanksgiving here today, turkey
will make me feel better.

security curmudgeon wrote:
> http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=572
> 11/02/2004 Initial vendor notification
> 11/03/2004 Initial vendor response
> 12/19/2005 Second vendor notification
> 01/30/2007 Third vendor notification
> 01/30/2007 Third vendor response
> 04/25/2007 Status update requested
> 06/08/2007 Status update requested
> 07/24/2007 Status update requested
> 07/30/2007 Vendor stated product's support ended in 2002
> 08/06/2007 Vendor communicated their response
> 08/07/2007 Coordinated public disclosure
> November 2, 2004, HP is informed of the vulnerability in HP-UX 11.11i.
> Almost three years later, HP says "product's support ended in 2002".
> Also from the advisory:
>   Hewlett-Packard states that this product is obsolete and no longer
>   supported. They have no plans to release a patch or advisory. They
>   further stated that the version of HP-UX used to verify this
>   vulnerability is also obsolete.
>   "HP simply recommends that customers upgrade to a currently supported OS
>   release and to some other tool, if one is available."
> So it took HP almost three years to realize the software was no longer
> supported and say that is a solution?

Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the VIM mailing list