Many people in this industry know me, if not personally, then by reputation and know I have always been a supporter of full disclosure. The idea behind the VNA is exactly as we state on the web site. It exists as a method to "persuade" vendors to provide their customers with a patch rather than silently supply security fixes in a service pack. We all know that trying to keep up with patches can be a never ending task - however - if there is a security problem in the software I use I'd rather be able assess the risk to me or my organization myself and determine if I need to install the patch or whether I can wait until the next service pack comes out. In the absence of a patch I can't make this choice though - the vendor has done the risk assessment for me - and this is useless - how can they, not knowing my circumstances, decide for me whether a security problem should be left for the next 8 months until the next service pack is due out? I'd rather see vendors furnishing their customers with the right information and a patch so the _customer_ can decide whether the want or need to fix the hole. Now - what has been happening recently is quite the opposite. Vendors have been moving away from providing a patch to rolling them up in service packs. Hence the VNA. I feel that once a vendor is publicly seen to have a problem with their code then the only responsible thing they can do it provide their customers with a patch. The VNA is not some marketing scheme. Whenever I have discovered a problem it has always (well 90% of the time) immediately gone into Cerberus Internet Scanner or Typhon so this aspect of the VNA thing is not new by any stretch of the imagination. What's more the VNAs are not posted to any mailing list - only posted on our site. Those who most come to our site are our customers - and I don't need to market to these people. I hope this clears up some of the speculation. Cheers, David Litchfield http://www.ngssoftware.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue May 28 2002 - 16:19:15 PDT