Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Full Disclosure: Re: Guideliens for Security Vuln reporting and response process

Re: Guideliens for Security Vuln reporting and response process

From: Ian Wilson <ian_at_iwcg.net>
Date: Thu, 31 Jul 2003 23:39:00 -0400
Jason Coombs wrote:
My comment to you is this: You're behaving as though if we all just agree to
filter our thoughts in a particular way then nobody will think anything that
is prohibited, or if anyone does then at least the prohibited thoughts won't
spread.
Actually, I'm one of the people who believe that if there's a bug or a vulnerability, it needs to be known about--keeping it secret only doesn't help.  Let's say I write "Happy E's web server and megalo-database combo," and a group finds a way to get information from my database without me knowing.  Let's say we keep it a secret, and while I'm working on it, some rouge group comes in, and steals the credit card information from web sites that use my server.  It was "Just me and the security group" who knew about the exploit...so who do people want to blame?  The "what if's" drag on, and people are left, in a worse-case scenario, with a lot of fradulent charges on their card.

I believe that when you find something wrong with something, you notify everyone at the same time once someone else can confirm it.  It doesn't have to be the software vendor, it be a trusted colleague, or someone with more computing/security experience than you do.  I stay up to date because I like to know what software packages are vulnerable, and I like to know what makes them that way. 

You can ask some people who know me....I'm a very vocal person when it comes to free speech.  I don't want anyone's thoughts or ideas supressed in any way. 

I was just posting this so some people can read, get a good chuckle, and go about their day.  I wasn't planning on this becoming a flame-fest.  It was an interesting read to me because it didn't seem like the way to handle that type of thing to me.  I didn't really appreciate being called "delusional,"  and I honestly didn't think that one could come up with a valid judgement of a person based on just one post.

Ian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Received on Aug 01 2003
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos