Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Submission
From: Rune Kristian Viken <arcade () KVINESDAL COM>
Date: Wed, 29 Nov 2000 13:36:46 +0100

Response to:
 Vedor Response and Reporting Vulnerabilities.
 Written by:  HellNbak (hellNbak () hushmail com)

At risk of started the age old "Full Disclosure" debate again, I felt
that I had to write this.  It seems lately, that the so called security
industry has lost its backbone.  To quote a director of a popular
security portal; "The whole thing is  just sickening, I am waiting for
someone to say something about it".  Well, here is your someone.

Strange.  I started out, reading this, positive and agreeing.  The security
industry *has* lost its backbone.  Its looking more and more like CERT for
every day that goes by - and it makes me sick.

B.)  There is nothing forcing Georgi or anyone for that matter to follow
RFPolicy, but the policy is a good idea and is very sound, so why not
follow it.

What if you disagree with parts of it?  Personally I think RFP is far too
cooperative, and far too CERT-alike these days.

I know a lot of you are probably thinking that this rant is pointed
directly at Georgi and I guess it is as he is probably the largest
offender.  Georgi, take this message for what it is worth, you are no
longer doing the security industry a service, you are letting people know
that AOL/Netscape and their big pockets can take a once respected person
and obviously very intelligent security professional and use them to do
their bidding.

Facts:
1.  He discovered a flaw.
2.  He published a flaw openly.

Arguments:
Publishing flaws in security programs gets them fixed.
Fixing security flaws are positive.

As far as I can see, what he has done, is to get a security flaw fixed.
That is a service.  Period.  Claiming he is not doing us a favor is
ridiculous. Trying to force -one policy- upon all security folks are
ridiculous.  If all flaws are to be handled in One Right Way, I for sure
know a lot of folks that won't care to get things fixed, if they discover
flaws.

--
"Rune Kristian Viken" <arcade () kvinesdal com>


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]