Comments on: What If All Vulnerabilities Had This Disclosure Timeline?

By: Evgeny Legerov

Evgeny Legerov — Sun, 10 Feb 2008 21:41:39 +0000

Nice to see updated post, thanks.
FYI – http://elegerov.blogspot.com/2008/02/i-will-be-adding-3-absolutely-new-bugs.html

By: none

none — Sat, 09 Feb 2008 13:34:59 +0000

CG: Your missing the point. The statement that gleg made …

“Gleg founder Evgeny Legerov confirmed his company’s refusal to share the RealPlayer exploit details, arguing that he needs “exclusivity” for a few months to help his customers understand the level of risk they face.”

… is completely absurd. With each day that gleg doesn’t tell Real he puts his clients at a greater risk. His client should demand that he inform Real so that a patch can be made available to them.

By: Evgeny Legerov

Evgeny Legerov — Sat, 09 Feb 2008 12:17:20 +0000

my comments here – http://elegerov.blogspot.com/

By: asdf

asdf — Sat, 09 Feb 2008 09:35:29 +0000

this link http://isc.sans.org/diary.html?storyid=3810 actually mentioned old RealPlayer 11 activex exploit http://www.kb.cert.org/vuls/id/871673

By: CG

CG — Thu, 07 Feb 2008 06:41:34 +0000

and how in all that is gleg supposed to pay the rent?

it seems the days of vendors getting vulnerability information for free are over, besides a subscription to canvas isnt even close what you would pay someone with the skill to go thru and find and fix that code anyway.

By: Spire Security Viewpoint

Spire Security Viewpoint — Thu, 07 Feb 2008 04:28:42 +0000

The Hot Potato of Blame in the Vulnerability Game…

… (or should I say Potatoe in honor of primary season? ;-)) Chris over at Zero in a Bit has a thoughtful post on the timeline for the recent Real Player vulnerability found by Gleg. This strikes me as the type of thing we need to learn to live with. …