Full Disclosure mailing list archives
Re: Re: Full Disclosure != Exploit Release
From: KF <dotslash () snosoft com>
Date: Wed, 29 Jan 2003 10:00:17 -0500
Paul Schmehl wrote:
On Wed, 2003-01-29 at 06:13, David Howe wrote:That is of course your choice. Vendors in particular were prone to deny a vunerability existed unless exploit code were published to prove it.I've read this mantra over and over again in these discussions, and a question occurs to me. Can anyone provide a *documented* case where a vendor refused to produce a patch **having been properly notified of a vulnerability** until exploit code was released?
Heck yeah! See our issues with Compaq / HP earlier this summer... I was basically told sure you can cause a segfault but our non-executable stack is the holy grail and YOU can not touch it. Basically laughing in my face for even implying that I could take root on a TRU64 box via a buffer overflow. Without an exploit they claimed it was NOT possible. I have heard of similar horror stories with HP... anyone else care to share?
You all know the outcome of that... a exploit was leaked they flipped out tryed to sue us and mircaulously you see patches in a few days.
-KF _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release, (continued)
- RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release hellNbak (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Blue Boar (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Rick Updegrove (security) (Jan 29)
- RE: RE : [Secure Network Operations, Inc.] FullDisclosure != Exploit Release Geo (Jan 29)
- RE: RE : [Secure Network Operations, Inc.] FullDisclosure != Exploit Release Strategic Reconnaissance Team (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release David Howe (Jan 29)
- Re: Full Disclosure != Exploit Release Paul Schmehl (Jan 29)
- Re: Re: Full Disclosure != Exploit Release hellNbak (Jan 29)
- RE: Re: Full Disclosure != Exploit Release Richard M. Smith (Jan 29)
- Re: Re: Full Disclosure != Exploit Release Georgi Guninski (Jan 29)
- Re: Re: Full Disclosure != Exploit Release KF (Jan 29)
- Re: Re: Full Disclosure != Exploit Release Blue Boar (Jan 29)
- Re: Full Disclosure != Exploit Release Paul Schmehl (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release ATD (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Strategic Reconnaissance Team (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Strategic Reconnaissance Team (Jan 29)
- RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Richard M. Smith (Jan 29)
- RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Ron DuFresne (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Kevin Spett (Jan 29)