Vendors consider several factors when deciding which software remedy to implement.
The complexity of the flaw and the seriousness of the effects are major factors in
the decision process to start. In addition, the established maintenance schedule will also
weigh into the final decision. For example, if a service pack was already scheduled for
release in the upcoming month, the vendor may choose to address the flaw within that
release. If a scheduled maintenance release is months away, the vendor may issue a specific
patch to fix the problem.
NOTE Agreeing upon how and when the fix will be implemented is often a
major disconnect between finders and vendors. Vendors will usually want to
integrate the fix into their already scheduled patch or new version release.
Finders usually feel it is unfair to make the customer base wait this long and
be at risk just so it does not cost the vendor more money.
Release
The final step in the OIS ???Security Vulnerability Reporting and Response Policy??? is the
release of information to the public. The release of information is assumed to be to the
overall general public at one time, and not in advance to specific groups. OIS does not
advise against advance notification, but realizes that the practice exists in case-by-case
instances and is too specific to address in the policy.
Pages:
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185