Dailydave mailing list archives
Re: Half Disclosure
From: ned <nd () felinemenace org>
Date: Wed, 3 Nov 2004 14:58:16 -0800 (PST)
On Wed, 3 Nov 2004 robert () dyadsecurity com wrote:
I know there is a debate (http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1014528,00.html) between the security research community and the Confused Illusionary Supposed Security People communities. The industry seems to be taking a funny twist with the practice of disclosure of newly identified problems. My team for years has joked about creating a "Half Disclosure" mailing list. This list would either A) tell you that a particular piece of software has a problem... or B) provide working exploit code with no product reference. Little did we know other companies had the same sense of humor: http://www.securityfocus.com/archive/1/380152/2004-10-31/2004-11-06/0
eEye does it too: http://www.eeye.com/html/research/upcoming/index.html
"... are going to withhold details about this flaw for three months. Full details will be published on the [later]. This three month window will allow users of [product] the time needed to download the updated version before the details are released to the general public. This reflects [companies]'s new approach to responsible disclosure." Is this really the path we want to take? Robert
-- http://felinemenace.org/~nd _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Half Disclosure robert (Nov 03)
- Re: Half Disclosure halvar (Nov 03)
- Re: Half Disclosure Dave Aitel (Nov 03)
- Re: Half Disclosure Gadi Evron (Nov 03)
- RE: Half Disclosure Chris Eagle (Nov 03)
- Re: Half Disclosure Dave Aitel (Nov 03)
- Re: Half Disclosure halvar (Nov 03)
- Re: Half Disclosure Nicob (Nov 03)
- Re: Half Disclosure ned (Nov 03)