mailing list archives
From: Elias Levy <aleph1 () SECURITYFOCUS COM>
Date: Wed, 29 Nov 2000 10:10:38 -0800
I am killing the thread. It accomplished it purpose of reminding
everyone of the issues. A couple of comments before I kill it.
Several folks mentioned that they did may not wish to work with a
vendor because the vendor does not deserve it. This view misses
the point. You do not work with the vendor to benefit them.
You work with the vendor to mitigate the risk a new vulnerability
may pose to users of their products or services. Your like or dislike
for the vendor should not come into the equation.
Its this very same reasoning which if you are working with a
vendor but they are not being responsive and are not producing
a fix in a timely reasonable manner should make you break away
from them and publish the vulnerability. At some point in time the
dangers of not disclosing the vulnerability outweigh the benefits of
waiting for the vendor. Again, its the goal of mitigating the risk of
a new vulnerability to the public that should drive you.
The are valid arguments for whether to give vendors advance notice
of a vulnerability or disclosing it right away to the public. Everyone
will not agree one way or the other all the time. But given a vendor
only a few days notice, when its well known that that short amount
of time will not be sufficient for a vendor to product a fix, has
none of the advantages of either approach and would be consider
by many more of a taunt to the vendor. If you are going to disclose
a vulnerability either be willing to work with the vendor or publish
right way - but don't do it half way.
Of curse any disclosure is better than none, and we should all be
grateful for it.
Si vis pacem, para bellum
- Re: Submission, (continued)