Re: Scanners and unpublished vulnerabilities - Full Disclosure

From: Patrik Birgersson (float@aiasec.com)
Date: Wed May 29 2002 - 05:57:34 EDT


*lurk mode off*

Hi list!

I have read this thread with interest, and I think I have understood what
all of you have written although English is not my native language (so you
may have to forgive me if I have misunderstood something).

Whether or not people/organizations release vulnerability information for
commersial purposes and whether or not some of you dislike the release of
any information (fully disclosed or not), I still wish to point out one
angle that haven't been mentioned in this thread (but that is stated in
the VNA policy mentioned in the first posting of this thread).

Vendors are not addressing security issues in a manner that satisfies the
crude community of security interested individuals and organizations
(that is "us"). If they were, we wouldn't have these debates over and over
again,
now would we?

I can fully understand, for example, Mr. Georgi Guninski (and others) when
releasing information
about vulnerabilities, since I assume that he must have gotten very
frustrated in the past when trying to "give the vendor(s) a chance", but
with none (or very little) reaction from the vendor(s).

This may not mean that I believe that the disclosure method of Mr.
Guninski is appropriate, but that does not matter.

I don't have the right of beeing the judge of right and wrong any more
than anyone else.

There may exist one or more commonly understood "best practises", but as
long as no agreements have been signed, anybody is in their full right to
choose disclosure method that they prefer (which may also include no
disclosure at all - not even to the vendor(s)).

I believe that we will always have a black-hat community that posses
knowledge and expolits for vulnerabilities, and that this community will
not be "kind enough" to let the rest of the world know about it. Even if
all vendors were to "get serious" and release patches as soon as possible
after obtaining knowledge about a vulnerability, there will always be
individuals that don't care about "responsible vulnerability reporting".

The problem does not lie within the reporting methods , but with the
vendors not addressing these issues in a serious way (well, of course
some reporting methods may, or may not, be more appropriate that others).

Instead of flaming eachother about disclosing methods and commersial
interests etc. we should try to find a way to influense the vendors to
take security issues more serious.

*flame shield up* :)

Patrik Birgersson

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:21 EDT