Bugtraq mailing list archives
Re: Submission
From: Elias Levy <aleph1 () SECURITYFOCUS COM>
Date: Wed, 29 Nov 2000 10:10:38 -0800
I am killing the thread. It accomplished it purpose of reminding everyone of the issues. A couple of comments before I kill it. Several folks mentioned that they did may not wish to work with a vendor because the vendor does not deserve it. This view misses the point. You do not work with the vendor to benefit them. You work with the vendor to mitigate the risk a new vulnerability may pose to users of their products or services. Your like or dislike for the vendor should not come into the equation. Its this very same reasoning which if you are working with a vendor but they are not being responsive and are not producing a fix in a timely reasonable manner should make you break away from them and publish the vulnerability. At some point in time the dangers of not disclosing the vulnerability outweigh the benefits of waiting for the vendor. Again, its the goal of mitigating the risk of a new vulnerability to the public that should drive you. The are valid arguments for whether to give vendors advance notice of a vulnerability or disclosing it right away to the public. Everyone will not agree one way or the other all the time. But given a vendor only a few days notice, when its well known that that short amount of time will not be sufficient for a vendor to product a fix, has none of the advantages of either approach and would be consider by many more of a taunt to the vendor. If you are going to disclose a vulnerability either be willing to work with the vendor or publish right way - but don't do it half way. Of curse any disclosure is better than none, and we should all be grateful for it. -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum
Current thread:
- Re: Submission, (continued)
- Re: Submission Geo. (Nov 29)
- Re: Submission Gunther Birznieks (Nov 30)
- Re: Submission hellnbak (Nov 29)
- Re: Submission Georgi Guninski (Nov 30)
- Re: Submission Robert G. Ferrell (Nov 29)
- Re: Submission Scott Blake (Nov 30)
- Re: Submission aarhus (Nov 29)
- Re: Submission Rune Kristian Viken (Nov 30)
- Re: Submission Geoffrey Moon (Nov 30)
- Re: submission rain forest puppy (Nov 30)
- Re: Submission Elias Levy (Nov 30)
- Re: Submission Geo. (Nov 29)