lists.openwall.net   lists  /  announce  john-users  owl-users  popa3d-users  /  xvendor  oss-security  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4 
Open Source and information security mailing list archives
 
Order Openwall GNU/*/Linux 2.0 on a CD with delivery worldwide
[<prev] [next>] [month] [year] [list] 
From: Richard.Scott at BestBuy.com (Scott, Richard)
Subject: RE: it's all about timing

<snip>
Only if the vendor does nothing in these weeks, only then the
report/exploit/whatever should be made public.
<snip>

[RS] For those on the FULL DISCLOSURE list you can read the full thread on
Bugtraq.  The exploit is not the problem, it is truly related to the fact
that vendors must notify clients directly if a vulnerability is found.
Just because a security hole has been discovered does not mean other factors
can not be used to mitigate risk.

<snip>
If hacker H writes a comment on Slashdot, making public an exploit
against some software made by vendor V, and does not notify V in advance
(say, 2...4 weeks in advance), and then V sues H, then who's right?
<snip>
 
[RS] If the vendor was aware for 2-4 weeks and failed to notify it's
clients, yes.  


Richard Scott
INFORMATION SECURITY
Tel: (001) -952-324-0697
Fax: (001) -952-996-4830
Best Buy World Headquarters
7075 Flying Cloud Drive
Eden Prairie, MN 55344 USA

The views expressed in this email do not represent Best Buy
or any of its subsidiaries

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux