Jason, > > I've proposed to Microsoft that they stop publishing Mitigating Factors in > their security bulletins, and now it looks necessary to propose the same > in > a more open forum. > I disagree. From a risk perspective you need to know mitigating factors. To kill the hype that accompanies a newly discovered vulnerability you need a cool, dispassionate, overview of the problem. Your sample 'aggravating' factor was anything but, and would be more likely to add to the hype. I think your decision to ask Microsoft first is a sign of your prejudice, why not ask the Open Source communities to lead the way? I can see it now: "WARNING: By using Open Source code anyone can modify the source, replace your binaries, and completely root your system!" John Howie CISSP MCSE President, Security Toolkit LLC
This archive was generated by hypermail 2b30 : Thu Feb 06 2003 - 09:13:31 PST