Re: RE : [Secure Network Operations, Inc.] Full Disclosure != Exploit Release

[Blue Boar <BlueBoar () thievco com>]

Strategic Reconnaissance Team wrote:
>         Very good points.  I've considered most of these and they all make
> sense. As far as corporate politics are concerned, don't you think that
> exploit disclosure could hurt vendor relationships? Granted, we are not
> going to make our decision on that premise but it would be a nice thing
> to avoid. 

Given what I know about your business model (which, I understand, is you 
research or acquire vulnerabilities, notify the vendor, and see if they are 
intersted in consulting work) then no, they would probably not want to see 
the exploits released publicly.  The vendor would probably like to have the 
exploit themselves, but not have it made public.

One problem with anyone making private exploits is that they always seem to 
get leaked, no matter who it is.  I don't know if that is pro or con for 
releasing public exploit, but it's something to keep in mind if there is a 
concern about the exploit "getting out."

Naturally, if someone writes an exploit, they can do whatever they want 
with it.  I think there are several business models where it absolutely 
makes sense from a business perspective to not release exploits.  With 
yours, it may make sense to not release exploits.  For scanner vendors, it 
absolutely makes sense for them to not release exploits (to the public, for 
free, I mean.  Not all of them, anwyay.)

My main concern is that a climate not develop such that people who wish to 
release exploits cannot do so, because all the big guys who can stand up 
for themselves have quit doing so, and the little guys can be threatened 
back into the underground.

                                                BB

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html