mailing list archives
From: Rune Kristian Viken <arcade () KVINESDAL COM>
Date: Wed, 29 Nov 2000 13:36:46 +0100
Vedor Response and Reporting Vulnerabilities.
Written by: HellNbak (hellNbak () hushmail com)
At risk of started the age old "Full Disclosure" debate again, I felt
that I had to write this. It seems lately, that the so called security
industry has lost its backbone. To quote a director of a popular
security portal; "The whole thing is just sickening, I am waiting for
someone to say something about it". Well, here is your someone.
Strange. I started out, reading this, positive and agreeing. The security
industry *has* lost its backbone. Its looking more and more like CERT for
every day that goes by - and it makes me sick.
B.) There is nothing forcing Georgi or anyone for that matter to follow
RFPolicy, but the policy is a good idea and is very sound, so why not
What if you disagree with parts of it? Personally I think RFP is far too
cooperative, and far too CERT-alike these days.
I know a lot of you are probably thinking that this rant is pointed
directly at Georgi and I guess it is as he is probably the largest
offender. Georgi, take this message for what it is worth, you are no
longer doing the security industry a service, you are letting people know
that AOL/Netscape and their big pockets can take a once respected person
and obviously very intelligent security professional and use them to do
1. He discovered a flaw.
2. He published a flaw openly.
Publishing flaws in security programs gets them fixed.
Fixing security flaws are positive.
As far as I can see, what he has done, is to get a security flaw fixed.
That is a service. Period. Claiming he is not doing us a favor is
ridiculous. Trying to force -one policy- upon all security folks are
ridiculous. If all flaws are to be handled in One Right Way, I for sure
know a lot of folks that won't care to get things fixed, if they discover
"Rune Kristian Viken" <arcade () kvinesdal com>