Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

(no subject)

From: full-disclosure () lists netsys com (sockz loves you)
Date: Mon, 19 Aug 2002 02:20:42 -0500
----- Original Message -----
From: "M L Lynch [ SotG ]" <fred () the-debaters com>
Date: Mon, 19 Aug 2002 15:38:12 +1000 
To: <full-disclosure () lists netsys com>
Subject: Re: [Full-disclosure] (no subject)


If you ever find a major security bug in a major piece of software, such as
M$ software, approaching the vendor directly does not work. Quite often they
will just add it to the end of the list of complaints, and might get around
to it in some future patch... if they feel like it... and if they think the
security bug you found posses great risk, they still won't fix it till they
feel like doing it.. instead, they now know who you are... and they take
subtle yet effective precautions to make sure you don't tell anyone about
it. I know.


well then thats the company's problem isn't it.  in a hypothetical situation like that you should be aiming your 
complaints not at the lack of a security industry but at the software developers idiotic business practices.
 

Atleast if proof of concept is out there, and the risk is publicly known,
they have some motivation to fix it, and the users of the product can take
precautions to get around the bug until it is fixed.


not really.  if the concept is out there but the vendor isn't going to do anything... then you're posing a greater 
security risk by having the vulnerability out there aren't you.  forcing vendors to fix bugs by threatening to make 
those bugs public is a poor solution to shoddy workplace practices.


Anyway, my thoughts.


interesting none the less


Cheers


likewise
-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup
Previous By Date Next
Previous By Thread Next

Current thread: