What ever happened to public disclosure as soon as a patch is released?
I have been bit twice by problems relating to difficulties getting security fixes/announcements out in time. In my defence I was trying to patch a difficult codebase and this just took a long time. For example, there was a full SQL injection audit that took us two months to complete early on, and there was an issue of XSRF vulnerabilities which could not be effectively patched in a production release.
But waiting a month to announce the security issue after the release was out strikes me as hard to justify.
What ever happened to public disclosure as soon as a patch is released?
I have been bit twice by problems relating to difficulties getting security fixes/announcements out in time. In my defence I was trying to patch a difficult codebase and this just took a long time. For example, there was a full SQL injection audit that took us two months to complete early on, and there was an issue of XSRF vulnerabilities which could not be effectively patched in a production release.
But waiting a month to announce the security issue after the release was out strikes me as hard to justify.