A lot of emotion on both part !!! ;-) Let's try not to be sensitive, this is an open discussion between people who share some ideas ;-) I jut want to review the concept, perhaps i'm wrong : 1- David find a new vuln, insert the detection in his scanner 2- He send the bug to the vendor and wait one week to published it even if the patch is not released. - Let's think about the future if all the vulnerability assesment scanners adopt the same strategy. ( Of course not only NGS can discover new vulnerability ;-) ) It could become a race between competitors to provide NEW vulnerability detection. Of course such emulation is good but it can move to the dark side. Yep we can easly imagine the scanners guys hiding their discoveries and keeping them for their customers only ! What i see in this case is that people who buy such product will be lost : which one to choose ? which one have the best 0-day ? this is really fun, isn't it ? I just imagined what could be the future even if david plan to publish his vuln, and it brings me to my second point : - Publishing a vulnerability is a question of policy everyone is free to do whatever he wants. For me i would say it's a little bit hazardous to publish a vulnerability if a vendor patch is not ready. These days there is more and more talented people in the security area, bad guys, good guys,...;-) and these days we can say that the script kiddy definition has changed : Now a script kiddy is someone which can write an exploit thanks to the advisory..... If no patch is provided you will see a lot of system compromised ! In fact more than if it was not published. Also it could happen that there is not workaround except the vendor patch to avoid the vuln. In the case you will ask your customer to turn his service down ? Ok i hope it was clear just to summarize : - all the vulnerability scanners will do the same ( NGS like the others want to do business ) and customers will be lost. - publishing vulnerability before the patch is done is a hudge risk. Thanks and i hope that nobody was offended. zol Hush provide the worlds most secure, easy to use online applications - which solution is right for you? HushMail Secure Email http://www.hushmail.com/ HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/ Hush Business - security for your Business http://www.hush.com/ Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/ Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed May 29 2002 - 08:17:40 PDT