Re: Remote DoS Attack in Eeye Iris 1.01 and SpyNet CaptureNet v3.12 Vulnerability

[Dan Harkless <dan-bugtraq () DILVISH SPEED NET>]

"Jay D. Dyson" <jdyson () TREACHERY NET> writes:
>       I don't typically do this, but I feel I must question the validity
> (and even the value) of issuing a DoS advisory on products that are either
> in Beta or no-longer-supported.
>
>       That a product is in Beta means that the vendor has a distinctly
> open-door policy on any bug reports regarding the software.  Beta == Bugs.
> No surprise there.  ...Yet when a product is no longer supported, issuing
> a DoS exploit against it isn't only yesterday's news...it's slapping the
> jellied *remains* of a dead horse.

If the vulnerability is serious (e.g. can get root access -- DoS only
affecting the product probably would not qualify), I see no problem with
reporting bugs in beta software.  Some software stays in 0.x mode for years.

And just because a product is no longer supported doesn't mean it's not in
wide use.  A lot of software becomes stable, goes into wide use, and then
there comes a time where there's no official maintainer, or the official
maintainer is unresponsive.

For instance, if someone found a glaring security hole in obtuse.com's
smtpd, which isn't being actively supported (I've contributed patches to
them and have never received any reply), I'd want to hear about it.

----------------------------------------------------------------------
Dan Harkless                   | To prevent SPAM contamination, please
dan-bugtraq () dilvish speed net  | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts.  Thank you.