From: zol@hushmail.com
Date: Wed May 29 2002 - 03:09:25 EDT
A lot of emotion on both part !!! ;-)
Let's try not to be sensitive, this is an open discussion
between people who share some ideas ;-)
I jut want to review the concept, perhaps i'm wrong :
1- David find a new vuln, insert the detection in his scanner
2- He send the bug to the vendor and wait one week to published it even
if the patch is not released.
- Let's think about the future if all the vulnerability assesment scanners adopt
the same strategy.
( Of course not only NGS can discover new vulnerability ;-) )
It could become a race between competitors to provide NEW vulnerability
detection. Of course such emulation is good but it can move to the dark side.
Yep we can easly imagine the scanners guys hiding their discoveries and keeping
them for their customers only !
What i see in this case is that people who buy such product will be lost :
which one to choose ? which one have the best 0-day ? this is really fun,
isn't it ?
I just imagined what could be the future even if david plan to publish his vuln,
and it brings me to my second point :
- Publishing a vulnerability is a question of policy everyone is free
to do whatever he wants.
For me i would say it's a little bit hazardous to publish a vulnerability
if a vendor patch is not ready.
These days there is more and more talented people in the security area,
bad guys, good guys,...;-) and these days we can say that the script kiddy definition has changed : Now a script kiddy is someone which can write an exploit thanks to the advisory.....
If no patch is provided you will see a lot of system compromised !
In fact more than if it was not published.
Also it could happen that there is not workaround except the vendor
patch to avoid the vuln. In the case you will ask your customer to turn
his service down ?
Ok i hope it was clear just to summarize :
- all the vulnerability scanners will do the same ( NGS like the
others want to do business ) and customers will be lost.
- publishing vulnerability before the patch is done is a hudge risk.
Thanks and i hope that nobody was offended.
zol
Hush provide the worlds most secure, easy to use online applications - which solution is right for you?
HushMail Secure Email http://www.hushmail.com/
HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
Hush Business - security for your Business http://www.hush.com/
Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/
Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:21 EDT