Response to:
Vedor Response and Reporting Vulnerabilities.
Written by: HellNbak (hellNbak_at_hushmail.com)
> At risk of started the age old "Full Disclosure" debate again, I felt
> that I had to write this. It seems lately, that the so called security
> industry has lost its backbone. To quote a director of a popular
> security portal; "The whole thing is just sickening, I am waiting for
> someone to say something about it". Well, here is your someone.
Strange. I started out, reading this, positive and agreeing. The security
industry *has* lost its backbone. Its looking more and more like CERT for
every day that goes by - and it makes me sick.
> B.) There is nothing forcing Georgi or anyone for that matter to follow
> RFPolicy, but the policy is a good idea and is very sound, so why not
> follow it.
What if you disagree with parts of it? Personally I think RFP is far too
cooperative, and far too CERT-alike these days.
> I know a lot of you are probably thinking that this rant is pointed
> directly at Georgi and I guess it is as he is probably the largest
> offender. Georgi, take this message for what it is worth, you are no
> longer doing the security industry a service, you are letting people know
> that AOL/Netscape and their big pockets can take a once respected person
> and obviously very intelligent security professional and use them to do
> their bidding.
Facts:
1. He discovered a flaw.
2. He published a flaw openly.
Arguments:
Publishing flaws in security programs gets them fixed.
Fixing security flaws are positive.
As far as I can see, what he has done, is to get a security flaw fixed.
That is a service. Period. Claiming he is not doing us a favor is
ridiculous. Trying to force -one policy- upon all security folks are
ridiculous. If all flaws are to be handled in One Right Way, I for sure
know a lot of folks that won't care to get things fixed, if they discover
flaws.
--
"Rune Kristian Viken" <arcade_at_kvinesdal.com>
Received on Nov 30 2000
Intro
