Re: In reply to comments about new policy

[rwing!pat () ole cdac com (Pat Myrto)]

"In the previous message, John DiMarco said..."
> [ ... ]
>
> Surely there is a third way: time-lapsed full disclosure. When a problem is
> discovered, don't announce it until there's a patch, then announce the problem
> and the patch together, without exploitation information. 

BINGO!!!!  That is what I (and many others) have been advocating all
along.  A stepwise approach:  Vendor first, then partial disclosure
(including note that full disclosure is coming in about a week or so -
depending on the individual problem at hand), and finally the full
disclosure, with at least an attempt at a fix included if humanly
possible.

If the hole was discovered via a crackers breakin, that shortens the time
frame a lot, as the cats pretty much out of the bag.

In no case should the delay be so long that the affected OS is dead and
stinking, though...

> After a suitable time (weeks?) has passed, the rest of the information can be
> announced.  But don't post scripts to exploit the bug; it gives root to too
> many newbies.

I'll go along with that.  But sufficient info for an admin to figure
things out enough to TEST for the bug.  It will help the admins, but I
think a canned gimmie-root script all ready to run is a bit much.

But I will take the canned scripts in preference to the CERT-like approach.

[ ... ]
-- 
pat@rwing  [If all fails, try:  rwing!pat () eskimo com]  Pat Myrto - Seattle WA
"No one has the right to destroy another person's belief by demanding
empirical evidence."  --   Ann Landers, nationally syndicated advice columnist
and Director at Handgun Control Inc.