5 Feb
2004
5 Feb
'04
3:07 p.m.
My point is that is very unlikely that both bugs had been discovered by ISS within the same time frame. Two days is also little time do develop and test, which raises the suspicion on this issue. I'm not against notification before disclosure, but it seems that the dates on this announcement might have been changed in order to make the solution appear to be developed in very little time. ("See ma, I'm damn fast") Rubens
Why is that bad? I have no objection to giving vendors a reasonable amount of time to fix problems before announcing the whole. Or is your point that two days hardly seems like enough time to develop -- and *test* -- a fix?
--Steve Bellovin, http://www.research.att.com/~smb