mailing list archives
Re: Announcing new security mailing list
From: full-disclosure () lists netsys com (John Cartwright)
Date: Thu, 11 Jul 2002 14:57:26 +0100
On Thu, Jul 11, 2002 at 01:42:16PM +0200, Simon Richter wrote:
You may wish to subscribe to the list so that you and others may debate this
issue. The list is configured so that non-members may not post.
To me, the term "full disclosure" does not mean "make it available as fast
as possible", but rather "here is the information, expect it to leak in
the next two weeks, so go out and fix the bug". The current bugtraq scheme
enforces that, and I believe they are doing a great job.
We are placing the responsibility with the individual, not with an
organisation here. What we do not believe in is having a situation where
a select few are aware of a problem, but 99% of the internet populace are
powerless to defend against it. We are not saying that the vendor should not
be informed, we are saying, inform the people and the vendor simultaneously.
By creating a forum in which vulnerability spotters can get "instant
fame", you are forcing software vendors to monitor the forum 24/7, as a
new vulnerability in their software could be disclosed anytime, and at the
moment it is disclosed, script kiddies are hacking it into their scanners
while it could be 4 am in the vendor's timezone. If we are lucky enough
that the vulnerability is spotted by a whitehat, we should not jeopardize
the time advantage we have by announcing it publically.
This situation already occurs. If a researcher leaks information to a few
'allies', if a technique is discovered 'in the wild', or if a vendor silently
fixes unknown problems, then there are those who possess the knowledge and
those that don't. We are simply providing a forum for those who wish to try
and balance out this situation.
In short, I think this is a bad idea because it adds confusion for the
vulnerability spotters, risks early disclosure before fixes are available
and thus harms the users.
Early disclosure is important, IMO, as was proved with the recent Apache flaw.
I believe there were reports of Gobbles' exploit being active in the wild long
before the patched packages were available, and being alerted to the problem
even if there was no fix would have at least given admins a 'heads-up' and
allowed people to make informed business decisions. Of course, this is our
personal opinion, but we hope that others concur and wish to share in our