Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: RE: Disclosure policy in Re: RealPlayervulnerabilities
From: "Jason Coombs PivX Solutions" <jasonc () science org>
Date: Sat, 9 Oct 2004 06:29:57 +0000 GMT

0. ("The primordial sin") The
vulnerable product is released ...
Vendors must work much harder
to avoid releasing ... code ...

Absolutely correct. Vendors who release code are the core problem.

Vendors should not release code, they should release its source.

Where this is not done, vendors should at least release a detailed code map and important security-related excerpts of 
the source as part of a forensic analysis report about the code that enables a skilled person to more easily read 
through the code with a hex editor and disassembler in a reasonable amount of time and decide whether to use the 
vendor's product as-is or whether to modify it to take out parts that expose unwarranted features and unwanted risk.

We simply must stop executing other people's OTS code.



Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • Re: RE: Disclosure policy in Re: RealPlayervulnerabilities Jason Coombs PivX Solutions (Oct 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]