9 comments

[ 2.6 ms ] story [ 33.5 ms ] thread
Heh, I use this software.

is it only Windows 8 that is affected? we don't have that deployed anywhere at my company. :)

Why would Cisco not automatically opt-in for the grace period? Defies me. May be I am missing something.
Grace periods exist as an incentive for these companies to take action. Maybe Cisco thought they were calling their bluff... but they weren't bluffing.
(comment deleted)
An impulsive company would automatically opt-in for the grace period, using the rationale that the less people who know about the bug, the less damage can be done to Cisco and their customers.

A wise company would consider disclosing the bug even without a patch, using the rationale that their customers deserve to know that the bug exists and make decisions and implement workarounds to mitigate it.

In other words, public disclosure may be in the best interests of Cisco's customers.

This is not a particularly interesting bug. The editorialized headline suggests that the interesting part about this story is that Cisco elected not to ask for a disclosure grace period. So? That's how it's supposed to work: get the risk information out in public as quickly a possible. Cisco did the right thing here.
If I read the comments I see: "Cisco originally aimed to get the release of the patch for the 22nd September, however due to testing issues this has been postponed until the 29th which would fall outside of the 90 day disclosure window. Cisco were informed that a grace period exists for this exact situation and they could use it if they requested. However in this case Cisco has declined to use the grace period."

So it sounds like they were aware of the issue, communicated out a fix would be in place but 7 days later than the expiration. Someone didn't want to budge those 7 days and released it anyway.

Not that its a big flaw but it seems a bit inflexible. Companies as large and as old as Cisco don't move very fast..

Previously, Google has been getting negative feedback for not giving a grace period in the event of an imminent update being released to patch a vulnerability. As a result, they added a grace period to prevent such situations from happening. In this instance, Cisco, the vendor, communicated that they would not want to use the grace period and published the vulnerability on their own website despite Google communicating that they could have waited.