From: E (j46@btinternet.com)
Date: Tue May 28 2002 - 14:46:18 EDT
attached mail follows:
This seems like nothing more than yet another case of a security company using
the release
of vulnerabilities to raise its profile. If they release to the general public
the information
after 1 week, who benefits? Since a patch may not be available, the end user
certainly isnt
the winner in this situation, infact the only winner is the company releasing
the information.
If you coordinate with the vendor and wait until a patch is ready, this would
seem to be the
most ethical approach. Releasing vulnerability information before the vendor
has released a
patch is irresponsible and reveals the true self-promoting motives of the
person releasing the
information.
If the vendor does not release a patch within your specific "time frame", it
is their problem and
not yours, it does not give you the right to release the info just because you
want to. All you
do is put the vendors users at increased risk.
This URL strikes me as being totally irresponsible and pointlesss...
When are people going to stop acting in their own financial best interests and
begin acting in the
interests of the community?
Alfred Huger wrote:
> Heya all,
>
> Most of you who are long time users of this list know I tend to avoid
> conversations on-list about full-disclosure. I'm of the opinion it's a
> religious discussion with little or no merit for debate given that people
> are unlikely to move from their current position.
>
> Having said this every now and then something does occur within our
> industry to spur discussion. In this case I came across something which
> directly impacts the Pen-Testing arena and I would like to throw it out
> for open discussion. The event in question is a new Vendor Notification
> Alert Scheme the folks over at NGSSoftware announced yesterday. The
> announcement can (and should be) read at:
>
> http://www.nextgenss.com/news/vna.html
>
> In brief they are now unloading limited details to the public about
> vulnerabilities they have notified vendors about. Their reasoning behind
> this is well thought out and I suggest you read the announcement before
> jumping to a visceral conclusion one way or another. The way this impacts
> the Pen-testing community is that these vulnerabilities which are in the
> process (presumably) of being fixed are actively being coded into the
> Typhon II Vulnerability Assessment Scanner from NGSSoftware. This
> obviously is a significant issue which I suspect many of you out there
> have opinions on. I have my own but I'll hold out on commenting till the
> conversation gets under way (if it actually does so).
>
> Lastly, before you post a reply - please read the provided URL. And for
> those of you who are entirely disinterested in threads like this, please
> accept my apologies in advance.
>
> -al
>
> VP Engineering
> SecurityFocus
> "Vae Victis"
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:21 EDT