lists.openwall.net   lists  /  announce  john-users  owl-users  popa3d-users  /  xvendor  oss-security  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4 
Open Source and information security mailing list archives
 
This website is powered by Openwall GNU/*/Linux security-enhanced OS
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
From: cerebus at sackheads.org (Timothy J.Miller)
Subject: it's all about timing

On Wednesday, July 31, 2002, at 04:26 PM, Florin Andrei wrote:

>  							But every security problem
> (especially when it's accompanied by an exploit) should be reported
> first to the vendor! There should be no exception from this rule. The
> person doing the reporting should give the vendor a reasonable period of
> time to fix it; say, a few weeks or so.

I can't agree.  In my day job I maintain systems for a defense agency, 
and I *have* to know what my exposures are *at all times*, whether a fix 
exists or not, since lives can be dependent (directly or indirectly) on 
the availability and integrity of my systems.

Without this information, I can't mitigate my risk.  Leaving *my* risk 
in the hands of a vendor-- who has a vested interest in *not* letting me 
know-- is wrong.

-- Cerebus

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux