Security issues before public knowledge

[zappa]

"VulnWatch is a free open disclosure mailing list serving the security community and vendors alike. While the moderators of VulnWatch support open disclosure we encourage our posters to work with vendors in a responsible way before reporting the vulnerability to the general public. VulnWatch is also will to assist researchers and vendors in dealing with possible security issues in the most responsible way without compromising the open disclosure principles."

http://www.vulnwatch.org/

[Mike_Healan]

If someone discovers a security bug that can be immediately carried out, before declaring this fact before the world and getting their name in all the security newsletters, they should let the manufacturer know about the problem and give them a reasonable amount of time to produce a fix. If they refuse to acknowledge the bug, then by all means release the information and let the manufacturer take the blame for any damage.

I've seen several cases where people decide to make a name for themselves by publishing detailed exploit instructions without giving the maker time to release a fix. In my opinion, that's nothing more than malicious cracking.

Just my $0.02

[Detox]

I'm with Mike. Give 'em a chance to fix it, and if they aren't willing, let 'em have it.

[javacool]

Same here - I must agree with Mike.

Especially when you find a bug (usually "critical" in nature) in Microsoft software - let MS have a couple months to work on a patch before you release. But if they don't acknowledge you (has happened in the past, at least from MS) then go ahead and release it on the net - it might finally make them start working on a fix (is there a "priority" system for patching things at MS? ).

-javacool

[Checkout]

Quote:

quoting: javacool link=board=18;threadid=2210;start=0#15951 date=1026136521](is there a "priority" system for patching things at MS? ).

Yes there is. Whichever problem will bring in the greatest revenue / block the most costly litigation will get worked on first. First they work out which modules need fixing, then they work out how to attach DRM components to it, then the reword the EULA, fix the code (an afterthought at best) and then they make it available to their victims the public - on the sole condition that users suspend their higher brain functions.

And that Linux is reclassified as a terrorist grade weapon.

[zappa]

Quote:

Quote:

First they work out which modules need fixing, then they work out how to attach DRM components to it, then the reword the EULA, fix the code (an afterthought at best) and then they make it available to their victims the public - on the sole condition that users suspend their higher brain functions.

I can safely say I understood none of that.

The good news is I'm OK with that.

The bad news is that you could never work the security desk at WallyWorld aka WalMart and talk in that there jargon feller.

Now moi or me and or I could work the WallyWorld security desk real good and ask for handsome wages.