Full Disclosure: Re: it\'s all about timing

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Full Disclosure mailing list archives

Re: it\'s all about timing

From: full-disclosure () lists netsys com (full-disclosure () lists netsys com)
Date: Thu, 1 Aug 2002 10:28:15 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Thu, 1 Aug 2002 09:57:37 -0700, full-disclosure () lists netsys com wrote:

On Thu, 01 Aug 2002 16:03:33 +0300, Georgi Guninski <guninski () guninski com> said:


   GG> What scares me is that the "Responsible Disclosure" FUD continues.
   GG> On bugtraq people write that CERT and SecurtyFocus are "established parties" and
   GG> everyone who does not give them their 0days is irresponsible (at least CERT is
   GG> known to sell 0days). I personally won't give them my 0days early.

I would like to see evidence that CERT "sells 0days".  Pretty
significant claim.  Although, I probably wouldn't disclose the actual
exploits to CERT, just to the vendor.



Punch in  "CERT sell warnings" in any search engine and what do you get:

"Companies would pay $2,500 to $70,000 annually, depending on their revenue, and in exchange would receive warnings 
about new Internet threats generally 45 days before anyone else."


What's the big surprise, submit a zero-day to CERT, they hang onto it, tell their paying customers about it, then 45 
days later release it.

WASHINGTON -- One of the U.S. government's front-line defenses against cyber-sabotage will begin selling its early 
warnings about the latest Internet threats, something it used to share only with federal agencies.
The shift comes as the taxpayer-funded CERT Coordination Center, formerly known as the Computer Emergency Response 
Team, joins a prominent electronics trade association to form a new "Internet Security Alliance."

The effort, to be announced here Thursday, would distribute up-to-the-minute warnings to international corporations 
about cyber-threats, offer security advice and ultimately establish a seal program to certify the security of 
companies' computer networks. Companies would pay $2,500 to $70,000 annually, depending on their revenue, and in 
exchange would receive warnings about new Internet threats generally 45 days before anyone else.

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wmYEARECACYFAj1JbpQfHGNob29zZS5hLnVzZXJuYW1lQGh1c2htYWlsLmNvbQAKCRDT
5JkCl0iMkCPfAJ4zJpa7NvHfgq6qxW7xUweKrdrjBQCgnXPmHD6QuulReJqXuhbm0ByJ
AZk=
=Y6NF
-----END PGP SIGNATURE-----


Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople

By Date By Thread

Current thread:

Re: it\'s all about timing full-disclosure () lists netsys com (Aug 01)
- <Possible follow-ups>
- it\'s all about timing full-disclosure () lists netsys com (Aug 02)
- Re: it\'s all about timing Steven M. Christey (Aug 02)
- Re: it\'s all about timing full-disclosure () lists netsys com (Aug 02)
- Re: it\'s all about timing full-disclosure () lists netsys com (Aug 02)
- Re: it\'s all about timing Steven M. Christey (Aug 02)