On Thu, 18 Feb 1999, Gene Spafford wrote: > Yes, some software could be written better. Yes, some vendors may do a poor > job of responding to reports. > > Still, posting attacks or vulnerabilities that are in not in general > knowledge and are not being actively exploited and *before* the vendor has > been given a chance to respond is not being part of the solution. It is > arrogance or showing off. Before full disclosure became more of the norm, we lived in a world where vendors sat on problems for many months. When bugs were reported questions such as, "do our customers know about this problem?" were asked. It was clear that the fewer people who knew about the problem the longer it would take to be fixed. It was only when many customers knew about the problem that vendors would snap into action. The other problem with a world where vendors can expect to be notified first is they can be reactive about security instead of proactive. They can wait for the "nice guys" to find the problems and cross their fingers that the "bad guys" aren't running rampant through their customers "secure" systems. The full disclosure method has forced many vendors to be more procactive about security and that is a good thing. I would say that full disclosure has raised the quality of shipping products and shortened the time between problem discovery and vendor fix. The most important aspect of full disclosure though is that the user is informed. Some users are able to take protective measures without the need to wait for a vendor fix. This lets the user make decisions based on as much information about his or her security posture that is available. The user is not beholden to the whims of release schedules, corporate public relations or the financial standing of the vendor. > People who really want to improve security find ways to avoid hurting victims > and increase protection. If there is a problem that is not known and not > under attack, notifying the vendor and waiting for a valid fix to appear is > not going to result in anyone being hurt. Posting an exploit widely for a > previously unknown problem suddenly opens up all the current users to attack. I agree that someone posting an exploit should also post a fix if they are able to determine one. Sometimes it is not possible due to lack of source code or the nature of the problem. But getting the information out there may enable another member of the community to supply a fix that even the vendor may not have thought of. -weld
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:36:35 PDT