From: Drew (simonis@myself.com)
Date: Tue May 28 2002 - 15:42:00 EDT
Alfred Huger wrote:
>
> Heya all,
>
> Most of you who are long time users of this list know I tend to avoid
> conversations on-list about full-disclosure. I'm of the opinion it's a
> religious discussion with little or no merit for debate given that people
> are unlikely to move from their current position.
>
> Having said this every now and then something does occur within our
> industry to spur discussion. In this case I came across something which
> directly impacts the Pen-Testing arena and I would like to throw it out
> for open discussion. The event in question is a new Vendor Notification
> Alert Scheme the folks over at NGSSoftware announced yesterday. The
> announcement can (and should be) read at:
>
> http://www.nextgenss.com/news/vna.html
>
Seems to me like a thinly vieled marketing announcment. Worked, too.
I don't notice anything _too_ radically seperated from well known
vulnerability disclosure methods, with the singular exception that
they do not make accomodations for a responsive vendor who has not
yet released a patch, which is on contrast to the RFPolicy, a well
known disclosure roadmap, and the referenced Christey-Wysopal policy.
I read it as "Buy our scanner and you'll have access to vulnerabilities
others don't yet have".
-Ds
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:21 EDT