GreyMagic Software writes:
> Discovery date: 30 Mar 2002.
[...]
> Netscape was contacted on 24 Apr 2002 through a form on their web
> site and through email to securitynetscape.com and
> securenetscape.com. They did not bother to respond AT ALL, and we
> think we know why.

It seems a bit irresponsible to report a bug in a product to the
vendor almost one calendar month after discovering a security
hole. Is there any reason why GreyMagic decided not to report this
bug sooner?

For what it's worth, according to the Bugzilla database, this was
entered as a bug in the underlying Mozilla code on April 29, the third
business day after GreyMagic reported the bug.

For full details, see
http://bugzilla.mozilla.org/show_bug.cgi?id=141061 (When it was
created, the bug report was marked "Security-Sensitive" due to the
fact that this was a security issue.) The bug is marked as a
critical, high severity bug, and a fix is desired for the first full release
of Mozilla.

> Users of Netscape Navigator should move to a better performing, less
> buggy browser.

What browser GreyMagic does recommend?

> By completely disregarding our post Netscape has earned themselves a
$1000
> and lost any credibility they might have had. The money is
irrelevant, but
> using such a con to attract researchers into disclosing bugs to
Netscape is
> extremely unprofessional.

I'm also a little surprised that GreyMagic expected an immediate
response and an immediate payoff. It has only been four business days
since they reported this bug to Netscape.

                                                                Sam
Greenfield

n.b. I have no affiliation with the Mozilla projects--all of my
information is gleaned from the public Bugzilla website.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]