Vulnerability Development mailing list archives
Re: Complicated Disclosure Scenario
From: "Nick Lange" <nicklange () wi rr com>
Date: Thu, 17 Jan 2002 14:34:51 -0600
One other point here[once again my opinion], While many licenses forbid reverse engineering etc, if you're license becomes void for researching security vulnerabilities or disclosing them to the public then you need to point out to whomever makes budgeting decisions that this is not the product to use. Simply because their uncooperative attitude will end up costing *your* business money cleaning up a hacker attack if you follow the license! And for a business, that's all that matters[imho]. (I would seriously have you or your boss compare an IT cleanup of your servers after compromise to the cost of integrating a new product into your production environment over the long term), the product may be good but if you and other businesses are going to be screwed over by an environment of immaturity, is it worth it? once again my two cents, nick ----- Original Message ----- From: "Florian Weimer" <Weimer () CERT Uni-Stuttgart DE> To: "Josha Bronson" <dmuz () slartibartfast angrypacket com> Cc: <vuln-dev () securityfocus com> Sent: Thursday, January 17, 2002 05:04 Subject: Re: Complicated Disclosure Scenario
Josha Bronson <dmuz () slartibartfast angrypacket com> writes:So, what would you do?Write to the vendor and announce the publication of the preliminary results within, say, two weeks, and rely on Full Disclosure forcing the vendor to provide a fix. (However, there might be constraints in your license contracts which could make this illegal.) I'm surprised that this aspect of Full Disclosure is still necessary today. -- Florian Weimer Weimer () CERT Uni-Stuttgart DE University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
Current thread:
- Complicated Disclosure Scenario Josha Bronson (Jan 17)
- Re: Complicated Disclosure Scenario terry white (Jan 17)
- RE: Complicated Disclosure Scenario Nathan Anderson (Jan 17)
- Re: Complicated Disclosure Scenario KF (Jan 17)
- Re: Complicated Disclosure Scenario Giurgiu Sergiu (Jan 17)
- Re: Complicated Disclosure Scenario Ryan Permeh (Jan 17)
- Re: Complicated Disclosure Scenario David Carroll (Jan 17)
- Re: Complicated Disclosure Scenario Nick Lange (Jan 17)
- Re: Complicated Disclosure Scenario Bill Weiss (Jan 17)
- Re: Complicated Disclosure Scenario Florian Weimer (Jan 17)
- Re: Complicated Disclosure Scenario Nick Lange (Jan 17)
- Re: Complicated Disclosure Scenario Mariusz Mazur (Jan 17)
- Re: Complicated Disclosure Scenario Dan (Jan 17)
- RE: Complicated Disclosure Scenario Dom De Vitto (Jan 17)
- RE: Complicated Disclosure Scenario Jose Nazario (Jan 17)
- Re: Complicated Disclosure Scenario Jeff Nathan (Jan 17)
- RE: Complicated Disclosure Scenario Jose Nazario (Jan 17)
- Re: Complicated Disclosure Scenario (Summary) Josha Bronson (Jan 19)
- <Possible follow-ups>
- RE: Complicated Disclosure Scenario NP-GEE-CLOUGH AARON (Jan 17)
- FW: Complicated Disclosure Scenario Martin . Farrelly (Jan 17)
- RE: Complicated Disclosure Scenario Everhart, Glenn (FUSA) (Jan 17)
- RE: Complicated Disclosure Scenario Parity (Jan 17)