Bugtraq mailing list archives
Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634
From: Blue Boar <BlueBoar () THIEVCO COM>
Date: Mon, 4 Sep 2000 22:40:14 -0700
That being said, there really is no one to blame for this situation. There exists no forum for competing vendors to share information like this and further many vendors simply don't seem interested in working with other vendors to see multi vendor vulnerabiltities resolved.
Never attribute to malice what can be explained by stupidity, but just in case.. How's about this for an incentive: To vendors who jump the gun so they can get "First Patch!".. how many times do you think you'll do that before you start getting dropped off the notification list? I'm not talking about any list that SecurityFocus maintains (though I wouldn't discount that either) but rather the R&D groups and individuals who so often find these holes. Many of these people are only able to spend their time doing this because of some sort of benefit they derive from the publicity. If that starts to be messed with, you can bet that's going to hurt your chances of getting advance notice (i.e. they can ensure they get their props by NOT notifying you next time.) Anyone else see any interesting parallels here? Here you've got researchers trying their best to do the right thing for a bug that potentially affects damn near every *nix out there, and some of the vendors go forward with their own announcements without telling the people who reported it to them. Hello? Golden Rule? Hello? McFly? Bueller? Again, I would tend to attribute this to growing pains. After all, the vendors aren't used to having the 0-day, and I'm sure they just got excited. I'd like to see a little policy statement from the various vendors to the effect of whether they're willing to do coordinated releases or not. I think I'm hearing that SecurityFocus is willing to do escrow for parties that wish to use them. Blue Boar vuln-dev moderator
Current thread:
- FORCED RELEASE NOTES - CORE-090400 - BID 1634 Vulnerability Help (Sep 04)
- Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634 Warner Losh (Sep 04)
- Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634 Peter Barker (Sep 05)
- Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634 Martin Sheppard (Sep 05)
- Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634 Jim Duncan (Sep 04)
- Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634 van der Kooij, Hugo (Sep 05)
- <Possible follow-ups>
- Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634 Blue Boar (Sep 05)
- Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634 Warner Losh (Sep 04)