lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: hellnbak at nmrc.org (hellNbak)
Subject: Re: Full Disclosure != Exploit Release

Paul,

It is 2:30AM in my part of the world (Tokyo) I have been drinking heavily
and I have a meeting in 4 hours.  So forgive me for not posting the exact
advisories adn exact examples but in my experiance with the various
mailing lists I have moderated, the various jobs I have held and the
various ohter interests Ihave -- I have ran into vendors willing to eithe
rthreaten lawsuit or deny all together before they fix a vuln.

This is truly the case.  Perhaps tomorrow afternoon I will send you my
specific examples.

On 29 Jan 2003, Paul Schmehl wrote:

> Date: 29 Jan 2003 10:23:23 -0600
> From: Paul Schmehl <pauls@...allas.edu>
> To: full-disclosure@...ts.netsys.com
> Subject: [Full-Disclosure] Re: Full Disclosure != Exploit Release
>
> On Wed, 2003-01-29 at 06:13, David Howe wrote:
>
> > That is of course your choice. Vendors in particular were prone to deny
> > a vunerability existed unless exploit code were published to prove it.
>
> I've read this mantra over and over again in these discussions, and a
> question occurs to me.  Can anyone provide a *documented* case where a
> vendor refused to produce a patch **having been properly notified of a
> vulnerability** until exploit code was released?
>
> Definitions:
>
> "properly notified" means that the vendor received written notification
> at a functional address (either email or snail mail) *and* responded
> (bot or human) so that the sender knows the message was received.
>
> "documented" means that there is proof both of proper notification *and*
> that a patch was not released in a timely manner
>
> "timely" means within two weeks of the notification
>
> "vendor" means any company that produces publicly available software -
> open source or commercial
>
> Caveats:
>
> You cannot use a case where exploit code was released at the same time
> the vulnerability announcement was made *or* within two weeks of the
> announcement (see "timely")
>
> I'm not saying this doesn't occur.  Just that it has the smell of urban
> legend and justification for actions taken.
>
>

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak@...c.org
http://www.nmrc.org/~hellnbak

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ