Joseph Pingenot wrote:
>
> Maybe. If Vendor doesn't release Patch, IMHO, publicizing the hole
> and then, maybe a while later, releasing the exploit is the proper
> way to go. Be vocal about it and the reasons for posting it like that,
> and people will migrate to a different (hey, Free Software guarantees
> at least *someone* can make a patch, even if Vendor is too lazy)
> software, since they now know that Vendor does not care about security.
Which sums things up nicely. (I don't want to start Yet Another Full
Disclosure Discussion.)
Policy of this list (and most lists that post vulnerability information)
is to allow the poster to determine when information goes out. My
only exception is for individual sites (i.e. Microsoft has a SQL
injection hole at this site...) vs. a product. I may on occasion
encourage a poster to do different, but it is their decision.
BB
Received on Feb 04 2002
Intro
