[bobster65]

Quote:

Originally Posted by hambil

I don't know who you think is suggesting this, but as far as I know nobody has. Some of us have suggested a short delay (in my case I suggested 24 hours) between when the author is contacted and the alert is sent out, and that's assuming the knowledge hasn't gone public (been announced by someone in the hack thread, for example).

You have some good suggestions, but adding to the inaccurate and inflammatory rhetoric of some others in this thread is not helpful.

BTW: For what it's worth, I've been a professional programmer for 25+ years and written security procedures for major companies. If any of my advice gets me onto your no-hire list, then I'd consider that a positive thing.

Nobody suggested it or needed to suggest it, I made it part of my recommendation in case someone did happen to bring it up in the future, because I don't want to see that policy go away. One of the staff members asked that people provide recommendations, so I did. Not all of mine were based off arguments between members of this site.

As far as your recommendation of a delay, there is nothing positive about a delay period... Both the Author and end user should be informed as soon as the vulnerability is known. Its not your decision as a programmer whether the client wants to disable or remove the hack while you are coming up with a solution, but it is your responsibility to inform then about the vulnerability. Asking for vBorg to delay an announcement is doing just that. I've yet to see anyone provide one positive thing about a delay to the end user. Giving the programmer 24 hours to work on the solution before the end user is informed is NOT a positive thing. The only thing that a delay does is give the author time to work on the fix while the client doesn't know about it and sits there vulnerable. It seems like the attitude from some is "Who Cares about the client, its just one more day".

Hambil, this is the point where we need to agree to disagree, cause Im not about to get into a pety argument with you over this. I made my recommendations and they included all 3 parties involved (Programmer, Client and vBorg).

btw, for those that took my thread personal (since I wasn't pointing out anyone personally), you may want to take a long look in the mirror tonight as it obviously hit home.