<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6001.18063" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>mrdkaaa,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>are you saying that this vulnerability is not new
to the public?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>The program phgrafx had some vulnerabilities
published, but this one is not the same of any other that I can find in
securityfocus. One program can have a lot of vulnerabilities :) </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>But yes, this vulnerability is at least four years
old, but was not public.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Anyway, QNX released Service Packs to solve some
security problems in the past, and it's not our problem, we are advising the
customers, they can choose or not the company. If you are a customer you
probably would like to know about security issues in all product that you use.
Also, we agree it's a crap vuln, that's why we took too long to release it.
Whatever, why hold it?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>p.s.: Rodrigo and me are no longer working for
Scanit, so it's just a personal opinion, not a company official position. If you
want to know about the company vulnerability release process or any other
information, please, contact the Scanit R&D team.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Cheers,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Filipe Alcarde Balestra</FONT></DIV></BODY></HTML>