mailing list archives
Re: FORCED RELEASE NOTES - CORE-090400 - BID 1634
From: Blue Boar <BlueBoar () THIEVCO COM>
Date: Mon, 4 Sep 2000 22:40:14 -0700
That being said, there really is no one to blame for this situation.
There exists no forum for competing vendors to share information like
this and further many vendors simply don't seem interested in working
with other vendors to see multi vendor vulnerabiltities resolved.
Never attribute to malice what can be explained by stupidity, but just
How's about this for an incentive: To vendors who jump the gun so they
can get "First Patch!".. how many times do you think you'll do that
before you start getting dropped off the notification list? I'm not
talking about any list that SecurityFocus maintains (though I wouldn't
discount that either) but rather the R&D groups and individuals who
so often find these holes. Many of these people are only able to
spend their time doing this because of some sort of benefit they derive
from the publicity. If that starts to be messed with, you can bet that's
going to hurt your chances of getting advance notice (i.e. they can
ensure they get their props by NOT notifying you next time.)
Anyone else see any interesting parallels here? Here you've got
researchers trying their best to do the right thing for a bug
that potentially affects damn near every *nix out there, and some
of the vendors go forward with their own announcements without
telling the people who reported it to them. Hello? Golden Rule?
Hello? McFly? Bueller?
Again, I would tend to attribute this to growing pains. After all,
the vendors aren't used to having the 0-day, and I'm sure they just
I'd like to see a little policy statement from the various vendors
to the effect of whether they're willing to do coordinated releases
or not. I think I'm hearing that SecurityFocus is willing to do
escrow for parties that wish to use them.