> For reference, the standard is 30 for the developer to fix and 90 for it to land on machines

john_strinlai • yesterday at 6:18 PM • 2 replies • view on HN

>For reference, the standard is 30 for the developer to fix and 90 for it to land on machines

no, the standard is 90 days from notification or 30 days from the patch date, typically whichever is sooner.

e.g.

    > If a vendor patches a security issue 47 days after Project Zero notified 
    > the vendor about the vulnerability, details would be made public on day 77.

    > If a vendor patches a security issue 83 days after Project Zero notified 
    > the vendor about the vulnerability, details would be made public on day 113.

please also note that you are blindly quoting wikipedia articles at people who either currently work in security research, or used to work in security research. while we are not infallible, you should perhaps consider that we at least have real life experience dealing with vulnerability disclosure processes, and arent just learning about them today from wikipedia. when a room full of experienced professionals are telling you that you are misunderstanding something, that is a sign to step back for a second and maybe reconsider your position.

Replies

zamalek • yesterday at 7:26 PM

That's still extremely different to this in one of the GP comments:

> There is no such thing as "the responsible disclosure protocol".

And yes, I admit I got dragged down to their level and beat myself with a dumb stick in the process.

➕ show 2 replies

tptacek • yesterday at 6:50 PM

Hey! I still do SOME work in this space. :)

➕ show 1 reply

alt Hacker News

Replies