Joseph Pingenot wrote: > > Maybe. If Vendor doesn't release Patch, IMHO, publicizing the hole > and then, maybe a while later, releasing the exploit is the proper > way to go. Be vocal about it and the reasons for posting it like that, > and people will migrate to a different (hey, Free Software guarantees > at least *someone* can make a patch, even if Vendor is too lazy) > software, since they now know that Vendor does not care about security. Which sums things up nicely. (I don't want to start Yet Another Full Disclosure Discussion.) Policy of this list (and most lists that post vulnerability information) is to allow the poster to determine when information goes out. My only exception is for individual sites (i.e. Microsoft has a SQL injection hole at this site...) vs. a product. I may on occasion encourage a poster to do different, but it is their decision. BB
This archive was generated by hypermail 2b30 : Sun Feb 03 2002 - 20:48:10 PST