Full Disclosure mailing list archives

Re: Full Disclosure != Exploit Release


From: Paul Schmehl <pauls () utdallas edu>
Date: 29 Jan 2003 10:23:23 -0600

On Wed, 2003-01-29 at 06:13, David Howe wrote:

That is of course your choice. Vendors in particular were prone to deny
a vunerability existed unless exploit code were published to prove it.

I've read this mantra over and over again in these discussions, and a
question occurs to me.  Can anyone provide a *documented* case where a
vendor refused to produce a patch **having been properly notified of a
vulnerability** until exploit code was released?

Definitions:

"properly notified" means that the vendor received written notification
at a functional address (either email or snail mail) *and* responded
(bot or human) so that the sender knows the message was received.

"documented" means that there is proof both of proper notification *and*
that a patch was not released in a timely manner

"timely" means within two weeks of the notification

"vendor" means any company that produces publicly available software -
open source or commercial

Caveats:

You cannot use a case where exploit code was released at the same time
the vulnerability announcement was made *or* within two weeks of the
announcement (see "timely")

I'm not saying this doesn't occur.  Just that it has the smell of urban
legend and justification for actions taken.

-- 
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/~pauls/
AVIEN Founding Member

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Current thread: