if you think 90 days is too short to develop a security fix what is your plan if there's an actively exploited security bug in your product where you have to deliver a fix within hours...
-
-
Replying to @hanno
To be fair, there are tradeoffs when making some fixes between risk of breaking things & risk of exploit. But yeah 90 days is way more than enough.
3 replies 0 retweets 4 likes -
Replying to @RichFelker
sure, I don't want people to rush fixes in 2 hours if there's no need to rush. but there should be a reasonable balance. if you can't deploy a good fix in 90 days I don't believe that you can deploy any fix in 2 hours.
1 reply 0 retweets 8 likes
Replying to @hanno @RichFelker
The @certcc splits the difference at 45 days. Whether it's an ideal compromise is yet to be determined.
4:19 PM - 20 Feb 2018
0 replies
0 retweets
1 like
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.