Timeline for Is using software without buying all available patches against security standards?
Current License: CC BY-SA 4.0
9 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Apr 28 at 14:59 | comment | added | interfect | @schroeder I don't imagine they would maintain the ability to do that work. If they can't capture value from doing it, they would have to stop, and those vulnerabilities would have to wait for the upstream developers to patch them and for volunteer maintainers to ship it. People who would have bought the patch would be less secure. People who would not have bought the patch, which I suspect is the larger group, might be more or less secure without the program, depending on how much the patch attracts attackers to the flaw versus how much it is redistributed or inspires independent fixes. | |
| Apr 28 at 14:29 | comment | added | schroeder♦ | If you are using software with known vulnerabilities, remediate or stop using that software. | |
| Apr 28 at 14:26 | comment | added | schroeder♦ | ... but Ubuntu is writing patches for other people's products and your opinion is that these should be free? How do you imagine one maintains the ability to do this work without paying people to do it? | |
| Apr 28 at 13:48 | comment | added | interfect | @schroeder It's less of an impression and more of an opinion. If you let just anyone start charging all users of critical software for their patches, enforced by auditors who will shut you down if you don't pay and IP lawyers who stop the price from catering after the first sale, you'll end up with ransomware-style extortion with extra steps. You break down such a regime with free, or at least trivially cheap and generally available, patches. | |
| Apr 23 at 20:00 | comment | added | Greg Askew | It's called Vulnerability Compliance. qualysec.com/vulnerability-compliance | |
| Apr 23 at 18:55 | comment | added | schroeder♦ | You appear to under the impression that all patches should be free, and if they are not, then auditors should overlook the known vulnerability that you elect to keep exposed in your software... | |
| Apr 23 at 16:35 | answer | added | Gh0stFish | timeline score: 2 | |
| Apr 23 at 16:20 | comment | added | Steffen Ullrich | Aren't you basically ask if knowingly using vulnerable software could be a compliance violation for some kind of compliance requirements? Phrased this way the answer should be a clear yes. | |
| Apr 23 at 14:50 | history | asked | interfect | CC BY-SA 4.0 |