Re: Scanners and unpublished vulnerabilities - Full Disclosure

From: David Litchfield (mnemonix@globalnet.co.uk)
Date: Tue May 28 2002 - 19:07:35 EDT

• Next message: Renaud Deraison: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Previous message: Alfred Huger: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Maybe in reply to: Alfred Huger: "Scanners and unpublished vulnerabilities - Full Disclosure"
• Next in thread: Renaud Deraison: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Many people in this industry know me, if not personally, then by reputation
and know I have always been a supporter of full disclosure. The idea behind
the VNA is exactly as we state on the web site. It exists as a method to
"persuade" vendors to provide their customers with a patch rather than
silently supply security fixes in a service pack. We all know that trying to
keep up with patches can be a never ending task - however - if there is a
security problem in the software I use I'd rather be able assess the risk to
me or my organization myself and determine if I need to install the patch or
whether I can wait until the next service pack comes out. In the absence of
a patch I can't make this choice though - the vendor has done the risk
assessment for me - and this is useless - how can they, not knowing my
circumstances, decide for me whether a security problem should be left for
the next 8 months until the next service pack is due out?

I'd rather see vendors furnishing their customers with the right information
and a patch so the _customer_ can decide whether the want or need to fix the
hole.

Now - what has been happening recently is quite the opposite. Vendors have
been moving away from providing a patch to rolling them up in service packs.
Hence the VNA. I feel that once a vendor is publicly seen to have a problem
with their code then the only responsible thing they can do it provide their
customers with a patch.

The VNA is not some marketing scheme. Whenever I have discovered a problem
it has always (well 90% of the time) immediately gone into Cerberus Internet
Scanner or Typhon so this aspect of the VNA thing is not new by any stretch
of the imagination. What's more the VNAs are not posted to any mailing
list - only posted on our site. Those who most come to our site are our
customers - and I don't need to market to these people.

I hope this clears up some of the speculation.

Cheers,

David Litchfield

http://www.ngssoftware.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Renaud Deraison: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Previous message: Alfred Huger: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Maybe in reply to: Alfred Huger: "Scanners and unpublished vulnerabilities - Full Disclosure"
• Next in thread: Renaud Deraison: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:21 EDT