I haven't checked what happened with OpenSSH, but so far as I know the Apache support people came up with a workaround within hours of the announcement of the "chunked" vulnerability and followed up with a working patch within a few days - Post-sales service is what differentiates a vendor you want to continue doing business with from one whom you should dump by sundown. So far as I am concerned, the Apache folks are a pretty good vendor. And as for the allegedly poor timing of the announcement of the vulnerabilities, is there ever such a thing as an excellent time for news that you don't want to hear?

The rock on which security rests is integrity - which in this case means the willingness to share bad news in a timely fashion, and take swift effective corrective action. The Apache and OpenSSH folks have integrity: any talk of security is meaningless without integrity - and I am surprised that as a fellow security guy, you missed something so fundamental by worrying so much about the PR repercussions. As far as we security people are concerned, none of our clients and customers should be selecting and running systems on PR - In fact, the nervous Nellies - assuming that they are smart enough to be nervous - are most probably paying us to sort PR from substance and toss out the PR. I agree that often, the trick is to get them to do the right thing without losing the paycheck.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/96/14424#14424