On Mon, 28 Feb 2000, you wrote:
No, we are not talking about security through obscurity. It is common to notify the maintainers of a piece of software about a security hole before you notify the public to give them chance to fix the problem.
Point is, you are probably not the only one who have found the weakness. IMHO, the time you wait to notify the public shouldn't be more than a couple of days. Of course, if its a *big bug* that will take TIME to patch, then give them some more time, but if its an unchecked buffer .. well. Release the bug after a day or two. That way, people may patch themselves, in addition to that you light a fire under the developers asses - thus ensuring that they release sooner instead of later. Oh, and those that don't follow bugtraq and notice the bug-announcement in the first place, probably won't notice that the vendor ships a patch neither. -- "Rune Kristian Viken" <arcade@kvinesdal.com> / arcade@irc (EFnet/IRCnet) Kvinesdalsnett System Administrator (http://arcade.kvinesdal.com/)