> The REAL problem is software package maintainers who do not proactively > audit their software. That some vendors miss problems, or that software in widespread legacy use is suddenly found to be vulnerable to a flaw is still not a reason to widely publish a description of a potential attack before the vendor is notified. Yes, some software could be written better. Yes, some vendors may do a poor job of responding to reports. Still, posting attacks or vulnerabilities that are in not in general knowledge and are not being actively exploited and *before* the vendor has been given a chance to respond is not being part of the solution. It is arrogance or showing off. People who really want to improve security find ways to avoid hurting victims and increase protection. If there is a problem that is not known and not under attack, notifying the vendor and waiting for a valid fix to appear is not going to result in anyone being hurt. Posting an exploit widely for a previously unknown problem suddenly opens up all the current users to attack. That there is (perhaps) a problem in assurance does not forgive this problem. Two wrongs do not make a right.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:35:49 PDT