| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: jstout at 0x4a.com (Jason Stout) Subject: Re: Re: <to various comments>EEYE: Microsoft ASN.1 ... On Thu, Feb 12, 2004 at 12:56:59AM -0600, Paul Tinsley wrote: <snip> > Show me one competitor that releases such detail at day 0 of patch release. > It took me less than 5 minutes to find an advisory from one of eeye's major competitors who released an advisory WITHOUT a vendor patch being available. > > > >When we - or our competitors - do not have full details on a > >vulnerability, we have to reverse engineer the patch to do so. And, we > >all do this. > > > > > I am sorry that you have to do what you get paid to do. Would it be an > unreasonable thing to consider a gentlemans agreement between assessment > vendors to share network behavioral fingerprints for vulns such as > these? The finder still gets credit, the vendor still gets to help his > clients, and next time he isn't the one to find it he still gets to help > his clients. Seems like a decent deal to me... > Yes it would be unreasonable. Early notification which in turn creates superior products is what justifies the money spent on R&D by these companies. Why should a security company who has two employees doing vulnerability research be privy to the same information of a competitor who employs 10+ researchers? On top of that, I think you fail to realize that some assessment vendors already have agreements in place with "certain large companies" who provide them with advanced notification. Often times, a "network behavioral fingerprint" provides enough information to exploit the condition. In your magical little world, who gets the information and who doesn't? How do your prevent the info from reaching the wrong hands? CERT's tried this and failed. > >So, people complaining about us releasing all of the details... They > >simply are ignorant of what must be done in this process. They like to > >scream and shout about how a worm will be coming and such, nevermind > >that they don't even understand our advisories in the first place. > > > > > > > Don't hold yourself in such high reguard to believe that people the > likes of me cannot comprehend your bulletins, you would be wrong. > Proportionately speaking, I think the majority of people reading their advisory don't fully understand the technical details behind it. I know I don't. If your one of the few minority who can, good for you. Drew never called you out directly. He was making a blanket statement which in my opinion is quite accurate. <snip> Regards, Jason Stout
Powered by blists - more mailing lists