I'm having a discussion with a vendor, maybe you can help me out. What's the goal of a security advisory?

As such, when should a security advisory be published?

To make this clear: this is about security advisories as published by the vendor. Just assuming that the researcher went for coordinated disclosure or no disclosure at all.

@WPalant I've also seen security advisories published before there's even a patch, in some cases—when there's a workaround, and the patch will take a while to produce.

Unless the vendor has been given ample time to fix their shit and has done nothing, the disclosure should await the fix.

@ScottMortimer That's the assumption in the question - that disclosure happens after the fix, probably considerably later.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.