Without detailed information: How should third-parties develop countermeasures? In essence you are arguing that only the vendor should be capable of fixing the vulnerable software. How should authors of vulnerability scanners and intrusion detection systems obtain information to produce new signatures? You may answer that only qualified security vendors should have access to the information. Who qualifies them? Who enforces these rules? What about non-commercial or open source tools? How should academics obtain information for research purposes? You may answer that only qualified security vendors should have access to the information. Who qualifies them? Who enforces these rules? How should users verify the vendor fix works as described? Some vendors have a history of requiring a few revisions of a patch to get it right. What do you do if the vendors is not cooperating, does not maintain the product any longer, or no longer exist? Unless you can answer all this question successfully you will continue to see detailed disclose of vulnerabilities. What it boils down to is this: disclosure of detailed vulnerability information benefits security conscious people, while, in the short them, hurts people that do not keep up with security, with the hope that it also helps them in the longer term. Will security conscious people give up the benefits of detailed disclosure of vulnerability information to help mitigate the short term risk of people that are not keeping up with security? Doubtful. -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 12:23:56 PDT