Full Disclosure mailing list archives
Re: RE: Disclosure policy in Re: RealPlayer vulnerabilities
From: "Pavel Kankovsky" <peak () argo troja mff cuni cz>
Date: Sat, 9 Oct 2004 00:11:17 +0200 (CEST)
On Fri, 8 Oct 2004, Martin Viktora wrote:
I truly believe that vulnerability disclosure should follow these steps:
0. ("The primordial sin") The vulnerable product is released and all information about the vulnerability is made available *by the vendor itself* to anyone with enough competence, free resources, motivation, and a copy of the product. This is conditio sine qua non. The rest of the story is nothing but deobfuscation of that information.
Second, you say that vendors must work much harder at reducing patch development time and I cannot agree with you more, especially after what I stated above.
Vendors must work much harder to avoid releasing vulnerable code in the first place. No vulnerabilities--no 0-says, no disclosures, no incidents, no need to hurry to install security patches. Or, at least, they themselves should proactively find and fix vulnerabilities in their own products. Isn't it absurd to wait until someone else does their work (security QA) for them and even expect the other party to follow their standards ("responsible disclosure")? --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Disclosure policy in Re: RealPlayer vulnerabilities Drew Copley (Oct 07)
- Re: RE: Disclosure policy in Re: RealPlayer vulnerabilities Martin Viktora (Oct 08)
- Re: RE: Disclosure policy in Re: RealPlayer vulnerabilities dave (Oct 08)
- Re: RE: Disclosure policy in Re: RealPlayer vulnerabilities Pavel Kankovsky (Oct 08)
- Re: RE: Disclosure policy in Re: RealPlayer vulnerabilities yossarian (Oct 08)
- <Possible follow-ups>
- Re: RE: Disclosure policy in Re: RealPlayer vulnerabilities Jason Coombs PivX Solutions (Oct 07)
- Re: RE: Disclosure policy in Re: RealPlayer vulnerabilities Martin Viktora (Oct 08)