Full Disclosure: it's all about timing

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Full Disclosure mailing list archives

it's all about timing

From: full-disclosure () lists netsys com (Timothy J.Miller)
Date: Thu, 1 Aug 2002 09:54:57 -0500

On Wednesday, July 31, 2002, at 04:26 PM, Florin Andrei wrote:

                                                      But every security problem
(especially when it's accompanied by an exploit) should be reported
first to the vendor! There should be no exception from this rule. The
person doing the reporting should give the vendor a reasonable period of
time to fix it; say, a few weeks or so.


I can't agree.  In my day job I maintain systems for a defense agency, 
and I *have* to know what my exposures are *at all times*, whether a fix 
exists or not, since lives can be dependent (directly or indirectly) on 
the availability and integrity of my systems.

Without this information, I can't mitigate my risk.  Leaving *my* risk 
in the hands of a vendor-- who has a vested interest in *not* letting me 
know-- is wrong.

-- Cerebus

By Date By Thread

Current thread:

Re: it's all about timing, (continued)
- Re: it's all about timing Adam Megacz (Jul 31)
- RE: it's all about timing Scott, Richard (Aug 01)
- Re: it's all about timing Sunil James (Aug 01)
- it's all about timing Timothy J.Miller (Aug 01)
- it's all about timing Alan Rouse (Aug 01)
- it's all about timing Rohny Jotton (Aug 01)
- Re: it's all about timing Steven M. Christey (Aug 01)
  - Re: it's all about timing Georgi Guninski (Aug 02)
- Re: it's all about timing Colin Stefani (Aug 01)