Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: it's all about timing

From: full-disclosure () lists netsys com (Scott, Richard)
Date: Thu, 1 Aug 2002 08:51:05 -0500
<snip>
Only if the vendor does nothing in these weeks, only then the
report/exploit/whatever should be made public.
<snip>

[RS] For those on the FULL DISCLOSURE list you can read the full thread on
Bugtraq.  The exploit is not the problem, it is truly related to the fact
that vendors must notify clients directly if a vulnerability is found.
Just because a security hole has been discovered does not mean other factors
can not be used to mitigate risk.

<snip>
If hacker H writes a comment on Slashdot, making public an exploit
against some software made by vendor V, and does not notify V in advance
(say, 2...4 weeks in advance), and then V sues H, then who's right?
<snip>
 
[RS] If the vendor was aware for 2-4 weeks and failed to notify it's
clients, yes.  


Richard Scott
INFORMATION SECURITY
Tel: (001) -952-324-0697
Fax: (001) -952-996-4830
Best Buy World Headquarters
7075 Flying Cloud Drive
Eden Prairie, MN 55344 USA

The views expressed in this email do not represent Best Buy
or any of its subsidiaries
Previous By Date Next
Previous By Thread Next

Current thread: