Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws

["Dude VanWinkle" <dudevanwinkle () gmail com>]

On 8/28/06, Matthew Murphy <mattmurphy () kc rr com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Dude VanWinkle wrote:
> > On 8/28/06, Michal Zalewski <lcamtuf () dione ids pl> wrote:
> >> On Mon, 28 Aug 2006, Dude VanWinkle wrote:
> >>
> >> > "Tipping Point customers have been protected from this flaw since
> >> x.y.z"
> >> > Is that extortion?
> >>
> >> No. Sorry.
> >>
> >
> > I guess it depends on the vendor and how long they have given them to
> > patch the issue.
> >
> > Still FD of 30 0-days seems odd for a security company that will profit
> > off it.
> >
> > Que Sirah
> >
> > -JP
>
> This is not "full disclosure" of any of these vulnerabilities.  The
> snippet ferg quoted says there will be a LIST of these issues published,
> and in fact it has been published:
>
>      http://www.zerodayinitiative.com/upcoming_advisories.html
>
> This is called a "disclosure pipeline".  IOW, it names vendors we have
> cases open with and the length of time those cases have been open.  Also
> included is a self-issued internal severity rating from TippingPoint.
> There's minimal information actually provided.


whoops! I thought deails were provided

sorry!
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.