It seems to appear to the public that, as an example, Symantec does not suffer from the same bugs as reported in other vendors products, as I have not released any advisories for them. This is not the case. Symantec and some other vendors seems to either play the "collect all bugs, publish one advisory game" delaying the patches and exposure window in an unnecessary fashion or take a rather long time reproducing simple bugs, which isn't really any better.

My reaction to this is to stop submitting vulnerabilities to such vendors and only continue to submit POC files once patches are issued. To remove the incentive to collect multiple bugs and release one advisory, I will publish one advisory per bug, regardless of how many patches there are released.

Currently on the "Stop to submit POC files" list are :
  • Symantec
  • IBM
  • Quickheal


Post a Comment