Re: Scanners and unpublished vulnerabilities - Full Disclosure

From: Drew (simonis@myself.com)
Date: Wed May 29 2002 - 09:32:44 EDT

• Next message: John_Leitch@NAI.com: "PEN Testing a everchanging realm in apache"
• Previous message: Patrik Birgersson: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• In reply to: Alfred Huger: "RE: Scanners and unpublished vulnerabilities - Full Disclosure"
• Next in thread: Alfred Huger: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

| Seems to me like a thinly vieled marketing announcment. Worked, too.
|
| I don't notice anything _too_ radically seperated from well known
| vulnerability disclosure methods, with the singular exception that
| they do not make accomodations for a responsive vendor who has not
| yet released a patch, which is on contrast to the RFPolicy, a well
| known disclosure roadmap, and the referenced Christey-Wysopal policy.
|
| I read it as "Buy our scanner and you'll have access to
vulnerabilities
| others don't yet have".
|

> >
> >I couldn't agree more. I personally see it as a ploy touting the
> >fact that their purchasable product will now and then be able to
> >look for some vulnerabilities that other products wont be able to.
>
> And this is wrong how? If David can protect his customers on a pro-active
> basis and allow them assess their own risk I can't see how you find fault
> in it.
>

My original point was not that this is wrong or right. I wasn't
trying to make any value judgments on the merit of this process,
but instead on the overall technical value of the announcement.

It is rather like my announcement that I my name is Drew Simonis,
but I've decided to spell it "Drew simonis". (note the lowercase!)
I hardly think this would start a rollicking discussion or new group
in alt.genealogy.surnames.*

In short, there is nothing of value in the announcement. They are
telling us that they are going to follow well known disclosure policies.
Isn't that a given for a respectable company? This is why I
characterized the announcement as a marketing ploy... for the lack of
content, not the value of the content.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: John_Leitch@NAI.com: "PEN Testing a everchanging realm in apache"
• Previous message: Patrik Birgersson: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• In reply to: Alfred Huger: "RE: Scanners and unpublished vulnerabilities - Full Disclosure"
• Next in thread: Alfred Huger: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:21 EDT