RE: Can we afford full disclosure of security holes?

[rms () privacyfoundation org (Richard M. Smith)]

I've probably found a dozen or so security holes in Microsoft products.
Many of these problems were reported on BugTraq list without full
disclosure.  How come so few people have ever approached me for the full
details?  I guess I don't see the same level of demand for
full-disclosure as you do.

However one thing is now crystal clear with Code Red: full-disclosure
comes with one of hell of a price tag.  There has to be a better way.

Richard

-----Original Message-----
From: aleph1 () securityfocus com [mailto:aleph1 () securityfocus com] 
Sent: Friday, August 10, 2001 3:24 PM
To: Richard M. Smith
Cc: bugtraq () securityfocus com
Subject: Re: Can we afford full disclosure of security holes?


* Richard M. Smith (rms () privacyfoundation org) [010810 19:19]:
> For this particular IIS bug, it is all very simple.  If you run IIS, 
> download the Microsoft patch!
>
> Buffer overflows are a dime a dozen.  Who really cares about the 
> details of this particular problem other than Microsoft?

Who cares? System administrators, security vendors, researchers, etc.
Did you not read my message? All these people need the information.

> Richard

-- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum