On Tue, Feb 25, 2003 at 08:07:08AM -0600, H D Moore wrote: > On Monday 24 February 2003 08:09 pm, Michael Jennings wrote: > > I'm not sure what "vendor coordination" was done, but I know I was > > never contacted. Just FYI. > > The vendor coordination was done through the vendor-sec mailing list with > about a three-week head start prior to disclosure. There really weren't > many true "bugs" found, just about everything covered was implemented > deliberately and could be found in the documentation of the app. There > had already been a number of debates on the exploitability of these > features, so this paper was more of a FAQ than any sort of advisory. It > wasn't my intention to catch anyone off-guard on this, just to bring > these issues back into the limelight for a while and see if other people > had a similar take on them. I would suggest that vendor coordination that doesn't involve contacting the authors is a specious process. Surely the authors themselves would be useful allies in exploring the full consequences of and resolving security problems. After all they probably know the code at least as well as anyone else. -- Horms _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Wed Feb 26 2003 - 03:27:11 PST