Next Page >>
Status update
======================================================================
5) Time Table
28/08/2007 - Vendor notified.
28/08/2007 - Vendor response.
26/09/2007 - Additional information provided and status update
requested.
26/09/2007 - Vendor informs that status update will be provided soon.
10/10/2007 - Vendor provides status update.
23/11/2007 - Status update requested.
24/11/2007 - Vendor provides status update.
======================================================================
6) Time Table
24/02/2009 - Vendor notified.
27/02/2009 - Vendor response.
05/03/2009 - Vendor provides status update (having problems
reproducing the reported vulnerability).
06/03/2009 - Additional details and crash dump provided to vendor.
22/05/2009 - Vendor provides status update (still investigating).
12/08/2009 - Vendor provides status update (vulnerability confirmed).
24/09/2009 - Vendor provides status update (scheduled for December).
======================================================================
5) Time Table
16/04/2008 - Vendor notified.
16/04/2008 - Vendor response.
25/06/2008 - Status update requested.
27/06/2008 - Vendor response (responsible person is on holiday, but
will provide status update ASAP).
24/07/2008 - Status update requested.
13/08/2008 - Status update requested.
13/08/2008 - Vendor response.
01/11/2007 - Microsoft states that the vulnerability is fixed by the
patches released in MS06-069.
02/11/2007 - Vendor informed that MS06-069 does not fix the
vulnerability, which was tested against a fully patched
system.
23/11/2007 - Vendor contacted (status update requested).
23/01/2008 - Vendor contacted (status update requested again).
05/02/2008 - Vendor informed that due to no response to status
requests an advisory will be published in two weeks).
05/02/2008 - Vendor response (vulnerability successfully reproduced
and asks for coordinated disclosure).
======================================================================
6) Time Table
09/07/2009 - Vendor notified.
09/07/2009 - Vendor response.
15/08/2009 - Vendor provides status update.
25/09/2009 - Vendor provides status update.
11/01/2010 - Status update requested.
11/01/2010 - Vendor provides status update (scheduled for May 2010).
30/04/2010 - Vendor provides status update (slipped from May 2010
release and now tentatively targetting August 2010).
======================================================================
6) Time Table
27/07/2009 - Vendor notified.
27/07/2009 - Vendor response.
19/08/2009 - Vendor provides status update.
24/09/2009 - Vendor provides status update.
27/10/2009 - Vendor provides status update.
08/12/2009 - Vendor provides status update.
29/01/2010 - Vendor provides status update.
30/04/2010 - Vendor provides status update (tentatively targetting
======================================================================
6) Time Table
27/07/2009 - Vendor notified.
27/07/2009 - Vendor response.
19/08/2009 - Vendor provides status update.
24/09/2009 - Vendor provides status update.
27/10/2009 - Vendor provides status update.
08/12/2009 - Vendor provides status update.
29/01/2010 - Vendor provides status update.
30/04/2010 - Vendor provides status update (tentatively targetting
Timeline:
20100819 Contacted vendor, supplied PoC
20100825 Vendor acknowledges receipt of information
20100826 Vendor creates ticket, SR # 10645215982
20100922 nSense requests status update
20100928 Vendor responds that a fix is being tested
20101109 nSense requests status update
20101112 nSense requests status update
20101112 Vendor responds, fix is still being tested
20101221 nSense requests status update
======================================================================
6) Time Table
14/07/2009 - Vendor notified.
14/07/2009 - Vendor response.
20/08/2009 - Vendor provides status update.
24/09/2009 - Vendor provides status update (scheduled for fall 2009).
29/10/2009 - Vendor provides status update (scheduled for March 2010).
28/05/2010 - Vendor provides status update (slipped from March 2010
release and now scheduled for August 2010).
02/06/2010 - Vendor provides status update.
deemed a pre-requisite to report the bug to MSRC. Core asks the vendor
if they have any findings that rules out exploitation for privilege
escalation and denial of service attacks.
. 2009-11-04:
Status update from MSRC saying that the investigation into the issue was
concluded. The issue was successfully identified with the PoC provided
by Core. After extensive review it was determined that all the memory
locations identified by the tool fall within the work area of the
Virtual Machine Monitor. The findings are that the contents of the RW
pages are not trusted by Virtual PC and overwritten before use and that
12/18/2007 - Initial Contact
12/18/2007 - Initial Response
12/19/2007 - PoC Requested
12/19/2007 - PoC Sent
01/14/2008 - Status update received
03/27/2008 - Status update requested
03/28/2008 - Status update received - no estimated release date
04/28/2008 - Status update requested
04/28/2008 - Status update received - no estimated release date
01/11/2009 - Vendor states updates being silently released soon,
6) Time Table
07/07/2010 - Vendor notified about vulnerability #1.
08/07/2010 - Vendor notified about vulnerability #2.
08/07/2010 - Vendor response.
15/08/2010 - Vendor provides status update.
11/01/2010 - Status update requested.
11/01/2010 - Vendor provides status update (tentatively targetting
May 2010).
30/04/2010 - Vendor provides status update (slipped from May 2010
release and now tentatively targetting August 2010).
06/16/2008 - Initial Contact
06/16/2008 - PoC Sent
06/17/2008 - Initial Response
06/18/2008 - Confirmation received - no estimated release date
07/22/2008 - Status Update Requested
07/23/2008 - Status Update Received - Update planned in November
12/11/2008 - Status Update Received - no estimated release date
02/19/2009 - Status Update Received - new case manager, estimated
release date 06/09/2009
04/23/2009 - Status Update - release on track
======================================================================
6) Time Table
04/03/2011 - Vendor notified.
04/03/2011 - Vendor response.
19/05/2011 - Vendor provides status update.
01/06/2011 - Vendor provides status update.
30/06/2011 - Vendor provides status update.
12/08/2011 - Vendor provides status update.
24/08/2011 - Vendor provides status update.
26/09/2011 - Vendor provides status update.
======================================================================
6) Time Table
10/03/2011 - Vendor notified.
10/03/2011 - Vendor response.
19/05/2011 - Vendor provides status update.
01/06/2011 - Vendor provides status update.
30/06/2011 - Vendor provides status update.
12/08/2011 - Vendor provides status update.
24/08/2011 - Vendor provides status update.
26/09/2011 - Vendor provides status update.
2009.09.15: Vendor response asking for resending the poc in a zipped and
password protected file (AV problem)
2009.09.15: Resending zipped and password protected
2009.09.17: Symantec Security Response Team verifies the vulnerability
2009.09.22: Symantec product team verifies the finding
2009.09.29: Ask for a status update, because the planned release date is
2009.10.01.
2009.09.29: Symantec Security Response Team tries to get a time line
from the product team.
2009.09.30: Changed release date to 2009.10.08 until a time line is
known
IX. DISCLOSURE TIMELINE
-----------------------------------
2009-09-14 - Vendor notified
2009-09-14 - Vendor response
2009-10-09 - Status update received
2009-10-27 - Status update received
2010-01-29 - Status update received
2010-03-05 - Status update received
2010-03-31 - Status update received
2010-04-09 - Coordinated public Disclosure
======================================================================
6) Time Table
08/09/2008 - Vendor notified.
08/09/2008 - Vendor response.
09/10/2008 - Status update requested.
17/10/2008 - Vendor provides status update.
31/03/2009 - Status update requested.
07/04/2009 - Vendor provides status update.
20/04/2009 - Vendor provides status update.
28/04/2009 - Public disclosure.
VIII. DISCLOSURE TIMELINE
10/09/2007 - Initial Contact
10/09/2007 - Initial Vendor Response
08/27/2008 - Vendor Status Update
12/11/2008 - Requested Status Update
12/11/2008 - Vendor Status Update
04/14/2009 - Requested CVE
04/14/2009 - Requested Status Update
04/15/2009 - Vendor Status Update
======================================================================
6) Time Table
07/01/2008 - Vendor notified.
07/01/2008 - Vendor response.
24/01/2008 - Status update requested.
24/01/2008 - Vendor response (division has been asked for an update).
20/02/2008 - Status update requested.
20/02/2008 - Vendor response (division has been asked for an update
and claims that the product is unaffected by some of the
reported vulnerabilities).
03/17/2008 Initial vendor notification
03/17/2008 Initial vendor response
03/17/2008 PoC requested
03/17/2008 Poc sent
04/18/2008 Status update request sent
05/28/2008 Status update request sent
07/03/2008 Status update received, new case manager assigned
06/26/2009 Status update received, new case manager assigned
06/26/2009 Bulletin release scheduled for July
07/09/2009 Status update received, bulletin delayed
13/11/2008 - Vendor notified.
18/11/2008 - Vendor response.
20/11/2008 - Vendor asks for additional information.
20/11/2008 - Clarification of the two problems provided to the vendor.
26/11/2008 - Vendor provides status update.
02/02/2009 - Vendor provides status update.
24/02/2009 - Vendor provides status update.
31/03/2009 - Status update requested.
31/03/2009 - Vendor provides status update.
04/05/2009 - Public disclosure.
======================================================================
6) Time Table
30/10/2008 - Vendor notified.
30/10/2008 - Vendor response.
07/11/2008 - Vendor provides status update.
11/12/2008 - Vendor provides status update.
20/02/2009 - Vendor provides status update.
24/04/2009 - Vendor provides status update.
05/05/2009 - Vendor provides status update.
12/05/2009 - Public disclosure.
. *2007-10-17*: Vendor acknowledges notification, provides public key and
requests a draft of the security advisory .
. *2007-10-17*: Core sends the draft advisory.
. *2007-10-19*: Vendor indicates it will be able to address the issue in
a release planned for December.
. *2007-10-29*: Core requests an status update since there has been no
communication since October, 17th, 2007. Vendor indicates it will be able
to address the issue in a release planned for December, this information
was already provided to Core on October 19th 2007 on a personal email
exchange. The December release is likely to be move to the first week of
January 2008.
======================================================================
6) Time Table
20/05/2009 - Vendor notified.
20/05/2009 - Vendor response.
15/09/2009 - Vendor provides status update.
27/10/2009 - Vendor provides status update.
11/01/2010 - Status update requested.
11/01/2010 - Vendor provides status update.
02/02/2010 - Vendor provides status update.
09/02/2010 - Public disclosure.
X. DISCLOSURE TIMELINE
-------------------------
Sep 7, 2009 12:09 PM: Vulnerability reported to Google and Opera Security
Teams.
Sep 7, 2009 12:10 PM: Automated Response from Google Security Team.
Sep 7, 2009 03:49 PM: First Status update provided by Google Security Team.
Quick response for a Holiday.
Sep 8, 2009 01:09 AM: First Status update provided by Opera Security Team.
Vulnerability concluded as design feature.
Sep 8, 2009 03:28 PM: Vulnerability confirmed by Google Chrome Security
Team. Patch timelines provided.
Core asks the vendor to confirm the reception of the technical report.
No reply received.
. 2010-04-29:
Core notifies the lack of an answer from the iManager team in the last
3 weeks. Core also requests a status update and notifies the advisory
publication has been re-scheduled to May 17th.
. 2010-04-30:
iManager team notifies the Service Request 10614363428 has been opened
to track this issue.
2010-07-01 Apple was provided a draft advisory
2010-07-02 Apple acknowledges receipt of advisory
2010-07-22 Request for confirmation of issue
2010-07-25 Apple confirms issue under investigation
2010-09-02 Request for status update
2010-09-02 Apple confirms fix is being tested
2010-10-13 Request for status update
2010-10-14 Apple confirms fix is planned for undetermined date
2010-11-16 Request for status update
2010-11-16 Apple confirms ship date is set for early 2011
HP SSRT informs Core that HP engineering have been notified and will
notify Core when they have a schedule estimate. SSRT assigned the IDs
SSRT090177 and SSRT090178 to the vulnerabilities reported by Core.
. 2009-08-27:
Core requests a status update from HP SSRT.
. 2009-08-27:
HP SSRT informs Core that the vulnerabilities are in third-party code
and that the third-party vendor has been notified but there isn't a
schedule for fixes yet. HP SSRT indicates that it is sure HP will not
IX. DISCLOSURE TIMELINE
-----------------------------------
2009-05-28 - Vendor notified
2009-05-28 - Vendor response
2009-07-18 - Status update received
2009-10-30 - Status update received
2010-01-07 - Status update received
2010-03-11 - Status update received
2010-03-31 - Coordinated public Disclosure
Next Page>>
|
