John B. Nagle (firstname.lastname@example.org)
14 Nov 88 17:03:43 GMT
I suggest that the security mailing list be posted to a newsgroup,
but with a 60-day delay. Sites and vendors serious about security will either
have fixed any problem by that time, or they probably aren't going to fix it
at all. This insures that a false sense of security is not engendered among
system administrators, yet allows a reasonable time for closing newly discovered
General knowledge of that 60-day timer will tend to accelerate efforts
by vendors to fix problems, I would suspect.
Why 60 days? A monthly update service would be enough to keep systems
operating with the latest security fixes. 30 days would require biweekly
updates to stay current, which is a bit frequent. Much longer than 60 days,
and the pressure would be off on fixing holes.
This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:44:30 GMT