
Cisco declines disclosure grace period, bug gets released - LukeB_UK
https://code.google.com/p/google-security-research/issues/detail?id=460
======
tptacek
This is not a particularly interesting bug. The editorialized headline
suggests that the interesting part about this story is that Cisco elected not
to ask for a disclosure grace period. So? That's how it's supposed to work:
get the risk information out in public as quickly a possible. Cisco did the
right thing here.

------
tastynacho
If I read the comments I see: "Cisco originally aimed to get the release of
the patch for the 22nd September, however due to testing issues this has been
postponed until the 29th which would fall outside of the 90 day disclosure
window. Cisco were informed that a grace period exists for this exact
situation and they could use it if they requested. However in this case Cisco
has declined to use the grace period."

So it sounds like they were aware of the issue, communicated out a fix would
be in place but 7 days later than the expiration. Someone didn't want to budge
those 7 days and released it anyway.

Not that its a big flaw but it seems a bit inflexible. Companies as large and
as old as Cisco don't move very fast..

~~~
Shank
Previously, Google has been getting negative feedback for not giving a grace
period in the event of an imminent update being released to patch a
vulnerability. As a result, they added a grace period to prevent such
situations from happening. In this instance, Cisco, the vendor, communicated
that they would not want to use the grace period and published the
vulnerability on their own website despite Google communicating that they
could have waited.

------
dijit
Heh, I use this software.

is it only Windows 8 that is affected? we don't have that deployed anywhere at
my company. :)

~~~
merlish
[http://tools.cisco.com/security/center/viewAlert.x?alertId=4...](http://tools.cisco.com/security/center/viewAlert.x?alertId=41136)

"At the time this alert was first published, all versions of Cisco AnyConnect
Secure Mobility Client for Windows were vulnerable." and no mention of Windows
8 specifically in Cisco's page suggests that this works on any version of
Windows where the application runs.

------
throwaway6497
Why would Cisco not automatically opt-in for the grace period? Defies me. May
be I am missing something.

~~~
RickHull
An impulsive company would automatically opt-in for the grace period, using
the rationale that the less people who know about the bug, the less damage can
be done to Cisco and their customers.

A wise company would consider disclosing the bug even without a patch, using
the rationale that their customers deserve to know that the bug exists and
make decisions and implement workarounds to mitigate it.

In other words, public disclosure may be in the best interests of Cisco's
customers.

