* Owen DeLong:
On Feb 12, 2008, at 11:46 AM, Florian Weimer wrote:
* Owen DeLong:
If the vulnerability cannot be corrected through a vendor patch, then, one has to wonder what, exactly the vulnerability is.
You assume that a vendor patches a vulnerability once they learn about it. In my experience, this is not true. Sometimes it's easy to explain (product or vendor ceased to exist), sometimes it's not (some cross- site scripting issues I'm trying to straighten out; minor bugs to you perhaps, but huge media exposure because of their visibility and reproducibility--think FDIV bug).
No, I presume that a vulnerability identified as "cannot be resolved through vendor patch" means a vulnerability for which, even if a vendor patch were available, it would not resolve the vulnerability.
These vulnerabilities surely exist, but they are usually not considered software vulnerabilities as such, and are usually not part of such vulnerability reports. (A popular example are attacks on the Ebay transaction protocol.)
A vulnerability for which a patch is not yet available, but, which could be resolved if the vendor released a patch is a vulnerability which "CAN be resolved through vendor patch when one becomes available."
I wouldn't view it this way, but I can understand that this is a possible interpretation.
It is unclear from the text provided which of our conflicting definitions for the term applies in IBM's text.
True, I'll try to get clarification.