[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Reporting 1.2K crashes


> I understand. But two weeks might be a bit too short for the majority
> of those crashes. Many upstream authors don't get paid for working on
> their software.

I first want to clarify the purpose of the two-week delay to make sure
we are on the same page.We do not expect upstream developers to fix
the bugs in that time frame. The two-week delay allows developers to
assess the bugs' seriousness. If the bug is security critical and two
weeks is too short to patch it, they can contact us and we'll gladly
delay the public disclosure further. If the bug is not security
critical however, then I do not see any reason not to submit it on the

If you believe that the delay is too short nonetheless, we can
definitely extend it. What would be a reasonable of time for
developers to review the bugs then?

The Mayhem Team
Cylab, Carnegie Mellon Univeristy

Reply to: