From: Pierre Vandevenne (pierre@datarescue.com)
Date: Tue May 28 2002 - 18:02:59 EDT
Hello Alfred,
AH> conversations on-list about full-disclosure. I'm of the opinion it's a
AH> religious discussion with little or no merit for debate given that people
<humour>
Religious ??? Full disclosure is public nudism. Non-disclosure usually
ends up in strip-tease for a happy few.
</humour>
AH> In brief they are now unloading limited details to the public about
AH> vulnerabilities they have notified vendors about.
One week may be, in some cases, to short to expect a reliable fix.
Pushing vendors could lead to fixes that are buggier than what they
fix, or break other things. But yes, this is an understandable middle
ground and they address a real problem.
AH> the Pen-testing community is that these vulnerabilities which are in the
AH> process (presumably) of being fixed are actively being coded into the
AH> Typhon II Vulnerability Assessment Scanner from NGSSoftware. This
Fair enough. They have a competitive advantage. They deserve it. Which
other company would sit on a competitive advantage and not use it ?
If they were telling us they are not using their knowledge, would we
believe them ? Would we trust them ?
-- Best regards, Pierre mailto:pierre@datarescue.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:21 EDT