*lurk mode off* Hi list! I have read this thread with interest, and I think I have understood what all of you have written although English is not my native language (so you may have to forgive me if I have misunderstood something). Whether or not people/organizations release vulnerability information for commersial purposes and whether or not some of you dislike the release of any information (fully disclosed or not), I still wish to point out one angle that haven't been mentioned in this thread (but that is stated in the VNA policy mentioned in the first posting of this thread). Vendors are not addressing security issues in a manner that satisfies the crude community of security interested individuals and organizations (that is "us"). If they were, we wouldn't have these debates over and over again, now would we? I can fully understand, for example, Mr. Georgi Guninski (and others) when releasing information about vulnerabilities, since I assume that he must have gotten very frustrated in the past when trying to "give the vendor(s) a chance", but with none (or very little) reaction from the vendor(s). This may not mean that I believe that the disclosure method of Mr. Guninski is appropriate, but that does not matter. I don't have the right of beeing the judge of right and wrong any more than anyone else. There may exist one or more commonly understood "best practises", but as long as no agreements have been signed, anybody is in their full right to choose disclosure method that they prefer (which may also include no disclosure at all - not even to the vendor(s)). I believe that we will always have a black-hat community that posses knowledge and expolits for vulnerabilities, and that this community will not be "kind enough" to let the rest of the world know about it. Even if all vendors were to "get serious" and release patches as soon as possible after obtaining knowledge about a vulnerability, there will always be individuals that don't care about "responsible vulnerability reporting". The problem does not lie within the reporting methods , but with the vendors not addressing these issues in a serious way (well, of course some reporting methods may, or may not, be more appropriate that others). Instead of flaming eachother about disclosing methods and commersial interests etc. we should try to find a way to influense the vendors to take security issues more serious. *flame shield up* :) Patrik Birgersson ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed May 29 2002 - 08:21:11 PDT