Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Beta Advisories
From: "Poof" <poof () fansubber com>
Date: Tue, 6 Jul 2004 19:03:27 -0400

Well, I'm personally all for announcing a beta advisory. However, when I'm all for it is as follows:

Example. Eudora posts a PUBLIC beta on their website. Then fine, announce the bug anywhere. However, when it's private. It should go the normal bug ways. To the devs so they can fix it. Fine, it may take a build or two. But it'll be fixed.

Also, I do consider gmail slightly private as it IS 'invite only'. So yes, you should wait before reporting this. On betas the devs are usually extra busy as they're currently having to write code everywhere. They're not just lounging around waiting for bug reports.

Yes, I know this isn't written very well... However...

Yes, and the OIS guidelines are thinly veiled "Oh please don't tell the
world that we have had this bug for 6 months...we'll look bad" methods for
being able to quash the full disclosure model and take the  pressure of
"respond to me, get it fixed, or thr world is going to know about it" off
the vendors.  Do you really think that the vendors will expend resources
to fix things just because it is "the right thing to do"?   Please tell me
you're not that naive...please.

I'm not advocating playing bombs away, sneak attacking a vendor by issuing
a 0-day disclosure publicly.  I sure as hell am saying that a vendor
knowing the vuln will in fact be disclosed after a reasonable period of
time, fixed or not, has certainly motivated more than a few to get the fix
done prior to taking a public black eye.

Bart Lansing
Manager, Desktop Services
Kohl's IT

Attachment: smime.p7s

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]