On Feb 12, 2008, at 11:46 AM, Florian Weimer wrote:
* Owen DeLong:
If the vulnerability cannot be corrected through a vendor patch, then, one has to wonder what, exactly the vulnerability is.
You assume that a vendor patches a vulnerability once they learn about it. In my experience, this is not true. Sometimes it's easy to explain (product or vendor ceased to exist), sometimes it's not (some cross- site scripting issues I'm trying to straighten out; minor bugs to you perhaps, but huge media exposure because of their visibility and reproducibility--think FDIV bug).
No, I presume that a vulnerability identified as "cannot be resolved through vendor patch" means a vulnerability for which, even if a vendor patch were available, it would not resolve the vulnerability. A vulnerability for which a patch is not yet available, but, which could be resolved if the vendor released a patch is a vulnerability which "CAN be resolved through vendor patch when one becomes available." It is unclear from the text provided which of our conflicting definitions for the term applies in IBM's text. Owen