Scanners and unpublished vulnerabilities - Full Disclosure

From: Alfred Huger (ah@securityfocus.com)
Date: Tue May 28 2002 - 14:05:43 EDT

• Next message: Ryan Russell: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Previous message: Fabio Pietrosanti (naif): "Re: S-box Experiences"
• Next in thread: Jay D. Dyson: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Reply:(deleted message) Jay D. Dyson: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Reply: Ryan Russell: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Reply: Pierre Vandevenne: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Reply: Drew: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Maybe reply: David Litchfield: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Reply: Renaud Deraison: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Maybe reply: Alfred Huger: "RE: Scanners and unpublished vulnerabilities - Full Disclosure"
• Maybe reply: Alfred Huger: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Maybe reply: Deus, Attonbitus: "RE: Scanners and unpublished vulnerabilities - Full Disclosure"
• Maybe reply: Muhammad Faisal Rauf Danka: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Reply: Vanja Hrustic: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Reply: batz: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Maybe reply: Ballowe, Charles: "RE: Scanners and unpublished vulnerabilities - Full Disclosure"
• Maybe reply: Jon Bull: "Fw: Scanners and unpublished vulnerabilities - Full Disclosure"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Heya all,

Most of you who are long time users of this list know I tend to avoid
conversations on-list about full-disclosure. I'm of the opinion it's a
religious discussion with little or no merit for debate given that people
are unlikely to move from their current position.

Having said this every now and then something does occur within our
industry to spur discussion. In this case I came across something which
directly impacts the Pen-Testing arena and I would like to throw it out
for open discussion. The event in question is a new Vendor Notification
Alert Scheme the folks over at NGSSoftware announced yesterday. The
announcement can (and should be) read at:

http://www.nextgenss.com/news/vna.html

In brief they are now unloading limited details to the public about
vulnerabilities they have notified vendors about. Their reasoning behind
this is well thought out and I suggest you read the announcement before
jumping to a visceral conclusion one way or another. The way this impacts
the Pen-testing community is that these vulnerabilities which are in the
process (presumably) of being fixed are actively being coded into the
Typhon II Vulnerability Assessment Scanner from NGSSoftware. This
obviously is a significant issue which I suspect many of you out there
have opinions on. I have my own but I'll hold out on commenting till the
conversation gets under way (if it actually does so).

Lastly, before you post a reply - please read the provided URL. And for
those of you who are entirely disinterested in threads like this, please
accept my apologies in advance.

-al

VP Engineering
SecurityFocus
"Vae Victis"

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Ryan Russell: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Previous message: Fabio Pietrosanti (naif): "Re: S-box Experiences"
• Next in thread: Jay D. Dyson: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Reply:(deleted message) Jay D. Dyson: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Reply: Ryan Russell: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Reply: Pierre Vandevenne: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Reply: Drew: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Maybe reply: David Litchfield: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Reply: Renaud Deraison: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Maybe reply: Alfred Huger: "RE: Scanners and unpublished vulnerabilities - Full Disclosure"
• Maybe reply: Alfred Huger: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Maybe reply: Deus, Attonbitus: "RE: Scanners and unpublished vulnerabilities - Full Disclosure"
• Maybe reply: Muhammad Faisal Rauf Danka: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Reply: Vanja Hrustic: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Reply: batz: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Maybe reply: Ballowe, Charles: "RE: Scanners and unpublished vulnerabilities - Full Disclosure"
• Maybe reply: Jon Bull: "Fw: Scanners and unpublished vulnerabilities - Full Disclosure"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:21 EDT