Full Disclosure mailing list archives
Re: some ooold Juniper bugs (was: ZDI-10-231: Juniper Secure Access Series meeting_testjava.cgi XSS Vulnerability)
From: Jeffrey Walton <noloader () gmail com>
Date: Sun, 7 Nov 2010 22:05:34 -0500
On Sun, Nov 7, 2010 at 7:57 PM, Michal Zalewski <lcamtuf () coredump cx> wrote:
This reminded me of a bunch of problems I spotted in Juniper SSL VPN a while ago; they are apparently fixed, but I don't recall seeing any public vendor advisory / credit for reporting them - so here you go, even if just for the record...
My impressions and experience: (1) some companies don't want to know of problems in their software; (2) some companies don't want to fix the reported problems in their software because the remainder of their house of cards becomes unstable; (3) other companies want to know, but don't want to publicly acknowledge the defect or offer credit; and (4) a small number of companies want to know so they can fix and offer credit. Unfortunately, my observations seem to indicate very few companies fall under (4). And my personal experience with software vendors developing antivirus, firewall and other security software: approximately 150 defects reported in 20 vendors. Only Symantec published an advisory and offered credit. And the political spin: companies get away with shipping broken software and residing in (1) and (2) above because there are no software liability laws, even though software enjoys intellectual property protection. Reason: In America, corporate America bribes the legislature (err, makes 'PAC contributions').
[SNIP]
Jeff _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- some ooold Juniper bugs (was: ZDI-10-231: Juniper Secure Access Series meeting_testjava.cgi XSS Vulnerability) Michal Zalewski (Nov 07)
- Re: some ooold Juniper bugs (was: ZDI-10-231: Juniper Secure Access Series meeting_testjava.cgi XSS Vulnerability) Jeffrey Walton (Nov 07)