Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Lynn / Cisco shellcode

From: "Dennis Cox" <dcox () tippingpoint com>
Date: Thu, 28 Jul 2005 23:31:56 -0500
I'm going to respond to myself - because I didn't feel I was clear. My point is if a vulnerability is so severe and the 
company who's product has the vulnerability takes an unreasonable amount of time to resolve the issue what route can 
one take? In this case Cisco announced that it will issue the security bulletin tomorrow I believe. That's only because 
Mr. Lynn forced their hand. I don't want ISS, iDefense or heck my company sitting on a vulnerability for a year or two 
just to appease some company. There has to be some other alternative. The security companies don't have one - their 
lawyers force them to keep quiet would be my guess. 

One could go anonymous of course but that's scary in many regards - something has to have teeth.
 

So does that mean that perhaps the government (or a government type agency (e.g. UN)) should become a notification 
point for vulnerabilities in >the future? I realize it's got ton's of downsides (too numerous to list) but the upside 
is pressure. They can put ton's of pressure on Cisco and >Oracle (700 day's was mentioned before which is an ungodly 
amount of time) to fix the vulnerability by denying government purchases of that >vendors equipment until such a time 
as the vulnerability is resolved. 


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: