top | item 46006636

(no title)

icehawk | 3 months ago

> I upgrade all dependencies every time I deploy anything. If you don't, a zero day is going to bite you in the ass: that's the world we now live in.

I think you're using a different definition of zero day than what is standard. Any zero day vulnerability is not going to have a patch you can get with an update.

discuss

jcalvinowens|3 months ago

Zero days often get fixed sooner than seven days. If you wait seven days, you're pointlessly vulnerable.

saurik|3 months ago

Only if you already upgraded to the one with the bug in it, and then only if you ignore "this patch is actually different: read this notice and deploy it immediately". The argument is not "never update quickly": it is don't routinely deploy updates constantly that are not known to be high priority fixes.

icehawk|3 months ago

Known vulnerabilities often get fixed sooner than seven days.

You will not know how long it takes to get a zero day fixed, because zero in "zero day" ends when the vendor is informed:

> "A zero day vulnerability refers to an exploitable bug in software that is unknown to the vendor."