Bugtraq mailing list archives
full disclosure and vendor education
From: ant () NOTATLA DEMON CO UK (Antonomasia)
Date: Sat, 20 Feb 1999 23:03:57 GMT
We are not going to get anywhere in software security until suppliers (I nearly said vendors) become more aware of the problems their code often has. There is a wide range of knowledge and ability among software suppliers. The upper end has its problems; the lower end is a menace. Many list readers work hard at eliminating security bugs from their sites and do not look kindly on the flow of new and avoidable incoming bugs. When you raise likely bug reports with a suppliers they can go something like this: Us> We just got "foo v10" from you. We noticed a remotely-accesible Us> buffer overrun reaching the stack pointer in a root-run program. Us> This is a security problem we'd like you to fix. Them> Thank you for your interest. We are not aware of any security Them> issues with our industry-leading product. With a full-disclosure archived list you have an educational resource to lead these guys to, even if you can't make them think. Spaf's point on making a dangerous bug known first to the public rather than the supplier is of course a valid one. -- ############################################################## # Antonomasia ant () notatla demon co uk # # See http://www.notatla.demon.co.uk/ # ##############################################################
Current thread:
- Plaintext Password in Tractive's Remote Manager Software, (continued)
- Plaintext Password in Tractive's Remote Manager Software Trevor Gryffyn (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Peter W (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof John DiMarco (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof brian j pardy (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Greg Woods (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof route () RESENTMENT INFONEXUS COM (Feb 18)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Fred W. Noltie Jr. (Feb 19)
- Call to politeness (Re: [HERT] Advisory #002 Buffer overflow in alecm (Feb 19)
- pine 4.10 patches (similar to 4.05) GvS (Feb 20)
- Re: [HERT] Advisory #002 Buffer overflow in lsof M.C.Mar (Feb 20)
- full disclosure and vendor education Antonomasia (Feb 20)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Lamont Granquist (Feb 18)
- Win98 Buffer Overflow (File attached) Scott (Feb 14)