|| ||Mark J Cox <mjc-H+wXaHxf7aLQT0dZR+AlfA-AT-public.gmane.org> |
|| ||oss-security-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8-AT-public.gmane.org |
|| ||Re: Vendor-sec hosting and future of closed lists |
|| ||Fri, 4 Mar 2011 08:08:03 +0000 (GMT)|
|| ||Article, Thread
> This certainly underscores that very few flaws need vendor-sec
> coordination, but I would suspect that out of those roughly 725 flaws,
> many of the really critical ones came through vendor-sec.
Actually, not so much. Of the flaws we rated impact critical or with a
CVSS of 'high', only 4 were from that 29 from vendor-sec.
> I'm also curious what "issues already public but found out about it on
> vendor-sec" means?
It's where the date the issue was public is the same date it was reported
to vendor-sec. This can be because it was brought to the wrong list, the
embargo was a day or less, or less often vendors wanted to discuss
something about it confidentially (a way to exploit it, etc)
to post comments)