← Back to context

Comment by icehawk

7 days ago

> I upgrade all dependencies every time I deploy anything. If you don't, a zero day is going to bite you in the ass: that's the world we now live in.

I think you're using a different definition of zero day than what is standard. Any zero day vulnerability is not going to have a patch you can get with an update.

8 comments

icehawk

Reply
jcalvinowens  7 days ago

Zero days often get fixed sooner than seven days. If you wait seven days, you're pointlessly vulnerable.

  • saurik  7 days ago

    Only if you already upgraded to the one with the bug in it, and then only if you ignore "this patch is actually different: read this notice and deploy it immediately". The argument is not "never update quickly": it is don't routinely deploy updates constantly that are not known to be high priority fixes.

    • jcalvinowens  7 days ago

      > The argument is not "never update quickly": it is don't routinely deploy updates constantly that are not known to be high priority fixes.

      Yes. I'm saying that's wrong.

      The default should always be to upgrade to new upstream releases immediately. Only in exceptional cases should things be held back.

      3 replies →

  • icehawk  7 days ago

    Known vulnerabilities often get fixed sooner than seven days.

    You will not know how long it takes to get a zero day fixed, because zero in "zero day" ends when the vendor is informed:

    > "A zero day vulnerability refers to an exploitable bug in software that is unknown to the vendor."