Linked by Thom Holwerda on Sat 1st Jun 2013 18:43 UTC

Thread beginning with comment 563501
To view parent comment, click here.
To read all comments associated with this story, please click here.
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[4]: Comment by Nelson
by lucas_maximus on Mon 3rd Jun 2013 11:43
in reply to "RE[3]: Comment by Nelson"
A bug is not the same as a critical security vulnerability. If you lump them together, then it's you who has no clue.
Since we are talking about software, most would consider it a software defect which is more commonly known as a bug. Sorry you are being a pedantic dick-piece.
Security vulnerabilities have high priorities and just like bugs are classified Minor, Moderate, Major and Critical.
I've had to patch a few critical security vulnerabilities. The total response time for them ranges 8-72 hours, including QA. A week to patch, or even put out an advisory, is exceptionally generous
I've had to patch a few critical security vulnerabilities. The total response time for them ranges 8-72 hours, including QA. A week to patch, or even put out an advisory, is exceptionally generous
But you still have to go through a change management process.
Also you make no mention of whether you actually created the patch, deployed it or the complexity.
i.e. Fixing an SQL injection vunerability is relatively easy compared to something like patching a vunerability in some critical part of the OS.
I can claim to have fixed critical security vunerabilities when all I really did was change a particular procedure to use parameterised queries and a SPROC.
Edited 2013-06-03 11:45 UTC
Since we are talking about software, most would consider it a software defect which is more commonly known as a bug. Sorry you are being a pedantic dick-piece.
No. A bug would be like a broken design for the car radio. A security vulnerability is like a broken design for the brake system. The former gets fixed at the garage, the latter gets recalled and costs a lot of money to the manufacturer. Ask Toyota how that went, even though ultimately they may not have been at fault.
Also, name calling only decreases any credibility you had left.
Edited 2013-06-03 12:33 UTC
RE[5]: Comment by Nelson
by JAlexoid on Mon 3rd Jun 2013 13:02
in reply to "RE[4]: Comment by Nelson"
most would consider it a software defect which is more commonly known as a bug
That is - for a fact - not true. Design flaws are not bugs. A lot of security vulnerabilities are and were not bugs, but a perfectly correct implementations of designs and requirements.
Sorry you are being a pedantic dick-piece.
And I just hope that you don't work on any of the software that stores my private information...
Also you make no mention of whether you actually created the patch, deployed it or the complexity.
How about all three steps, on multiple occasions and none of them were SQL injection.
And since when does anyone give a f**k about complexity when it comes to critical vulnerabilities?
Member since:
2009-05-19
A bug is not the same as a critical security vulnerability. If you lump them together, then it's you who has no clue.
Security vulnerabilities have high priorities and just like bugs are classified Minor, Moderate, Major and Critical.
I've had to patch a few critical security vulnerabilities. The total response time for them ranges 8-72 hours, including QA. A week to patch, or even put out an advisory, is exceptionally generous.