"The guidelines would give vendors at least 30 days to produce a patch for a vulnerability before a bug-finder goes public with it. The bug-finders would then withhold exploit code and technical details for another 30 days after the advisory.

"

When a bug is published, withing a few days to a week there is already an exploit circulating in the underground. Doing so would does more harm then good. Based on these results there should be a waiting period of 30 days between the time a vendor has published a patch and the release of the existence of the bug. It is ture that this is not always possible since it is usually easy enough to know the details of a bug based on the patch, but in most cases where there are regular updates a patch can be hidden and without public knowlage of the existence of a bug, it would be very difficult to scan all updates released for something that might be a patch to a vulnerability. If LSD did not release the details of the existence of a bug - the group(s) that released the exploit(s) for the RPC DCOM vulnerability would not have known where and when to look and by the time the bug was found the 30 day window would have been long gone.

My 2 cents.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/6568/21114#21114