We are not going to get anywhere in software security until suppliers (I nearly said vendors) become more aware of the problems their code often has. There is a wide range of knowledge and ability among software suppliers. The upper end has its problems; the lower end is a menace. Many list readers work hard at eliminating security bugs from their sites and do not look kindly on the flow of new and avoidable incoming bugs. When you raise likely bug reports with a suppliers they can go something like this: Us> We just got "foo v10" from you. We noticed a remotely-accesible Us> buffer overrun reaching the stack pointer in a root-run program. Us> This is a security problem we'd like you to fix. Them> Thank you for your interest. We are not aware of any security Them> issues with our industry-leading product. With a full-disclosure archived list you have an educational resource to lead these guys to, even if you can't make them think. Spaf's point on making a dangerous bug known first to the public rather than the supplier is of course a valid one. -- ############################################################## # Antonomasia antat_private # # See http://www.notatla.demon.co.uk/ # ##############################################################
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:36:32 PDT