Security issues before public knowledge

Discussion in 'other security issues & news' started by zappa, Jul 7, 2002.

Thread Status:
Not open for further replies.
  1. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    "VulnWatch is a free open disclosure mailing list serving the security community and vendors alike. While the moderators of VulnWatch support open disclosure we encourage our posters to work with vendors in a responsible way before reporting the vulnerability to the general public. VulnWatch is also will to assist researchers and vendors in dealing with possible security issues in the most responsible way without compromising the open disclosure principles."

    http://www.vulnwatch.org/
     
  2. Mike_Healan

    Mike_Healan Registered Member

    Joined:
    Mar 6, 2002
    Posts:
    302
    Location:
    USA
    If someone discovers a security bug that can be immediately carried out, before declaring this fact before the world and getting their name in all the security newsletters, they should let the manufacturer know about the problem and give them a reasonable amount of time to produce a fix. If they refuse to acknowledge the bug, then by all means release the information and let the manufacturer take the blame for any damage.

    I've seen several cases where people decide to make a name for themselves by publishing detailed exploit instructions without giving the maker time to release a fix. In my opinion, that's nothing more than malicious cracking.

    Just my $0.02
     
  3. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    I'm with Mike. Give 'em a chance to fix it, and if they aren't willing, let 'em have it.
     
  4. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,995
    Same here - I must agree with Mike.

    Especially when you find a bug (usually "critical" in nature) in Microsoft software - let MS have a couple months to work on a patch before you release. ;) But if they don't acknowledge you (has happened in the past, at least from MS) then go ahead and release it on the net - it might finally make them start working on a fix (is there a "priority" system for patching things at MS? :D).

    -javacool
     
  5. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Yes there is. Whichever problem will bring in the greatest revenue / block the most costly litigation will get worked on first. First they work out which modules need fixing, then they work out how to attach DRM components to it, then the reword the EULA, fix the code (an afterthought at best) and then they make it available to their victims the public - on the sole condition that users suspend their higher brain functions.

    And that Linux is reclassified as a terrorist grade weapon.
     
  6. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.

    I can safely say I understood none of that.

    The good news is I'm OK with that.

    The bad news is that you could never work the security desk at WallyWorld aka WalMart and talk in that there jargon feller.

    Now moi or me and or I could work the WallyWorld security desk real good and ask for handsome wages.
     
Loading...
Thread Status:
Not open for further replies.