Do you want your name on Sun bug reports?

I have seen cases where customers find relatively advanced bugs in software. These customers contact the vendor, the vendor acknowledges the bug and provides a fix for it. Now, the question is, should the public BugID refer back to the original customer/company who found this bug? i.e., Should that company get a 'cred' for it?

The reason I ask is because I have seen scenarios where certain customers (usually banks) will find a bug and after its been fixed, they will ask that their information NOT be made public as it relates to that bug. Then we have the flipside where the customer calls in and asks "Hey, so do we get any recognition for finding this bug?".

Soo..

Should it be:

1.) Let the customer decide
2.) Publish information on who originally found the bug
3.) Hide information on who originally found the bug
Comments:

It quite obvious why banks (especially) do not want this information disclosed. By admitting that they 'found' a bug, they are admitting that they 'use' a particular product (lets say Solaris in this case.) Now, if a smart person were to find another security bug in Solaris, it already knows that Bank X uses Solaris, so why not target that company with the latest exploit to the bug?

Posted by guest on December 22, 2004 at 03:52 AM PST #

I'd say allow the customer to decide, but have it default to show the information. I spend my days working at a University, and credit for findings is worth more then gold around here. Also, for the persons who found it, it's nice to be able to get some recognition for work from the community, then you get to spend brownie points when you need help from others :) However, some places aren't nearly as open as a University, and don't want their names near anything that has Bug in it, and that should definitly be respected as well.

Posted by Paul Greidanus on December 22, 2004 at 03:54 AM PST #

While I'm not questioning \*why\* some banks don't want their information on a bug report, I don't think it's necessarily because they don't want people to know what OS they use. There are much easier ways of finding that out. Nevertheless...I suppose it's a thought that goes through their heads.

Posted by Moazam on December 22, 2004 at 03:55 AM PST #

I think it should be up to the customer. When the bugid is issued, ask the customer what he wants, if you forget to ask default should be to not show (in my opinion).

Posted by K G on December 22, 2004 at 06:57 AM PST #

A better question - as the developer tasked with fixing such a bug, why do you care who found it? Are you going to double check your work if it's a "big" customer? Personally I'm glad when issues are uncovered. Whether they are reported by automated test suites, QA or the customer it doesn't matter to me.

Posted by Sean Yunt on December 22, 2004 at 09:09 AM PST #

Sean, I'm not sure where I stated that \*I\* cared who found the bug or not. I've seen certain bugs fixed for small customers, big customers, and other bugs/RFEs that won't be fixed until the next major release, even if it was reported by a top 10 customer. Sometimes there are problems that simply do not have a simple fix, i.e., they may break backward compatibility or require an architectural redesign of sorts. The only reason I'm asking the original question is because I've seen customers with both stances, public vs. private information on the finder of the bug.

Posted by Moazam on December 22, 2004 at 09:32 AM PST #

Having found several bugs over the years, I'd say allow the customer to choose to have if the information is shown. I would love to have my name show up against the bug in SunSolve

Posted by Iain on December 22, 2004 at 01:29 PM PST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

moazam

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today