lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu Jul 28 00:34:50 2005
From: James.Williams at ca.com (Williams, James K)
Subject: Our Industry Is Seriously Ethics Impaired


> List:       full-disclosure
> Subject:    RE: [Full-disclosure] Our Industry Is Seriously 
> Ethics Impaired
> From:       security curmudgeon <jericho () attrition ! org>
> Date:       2005-07-27 21:30:22
> Message-ID: Pine.LNX.4.63.0507271728130.13422 () forced ! 
> attrition ! org
> 
> On Wed, 27 Jul 2005, DAN MORRILL wrote:
> 
> : So is 3com willing to lean on Oracle or Microsoft, or Real, 
> : or anyone else to get the patch done in a reasonable time 
> : frame? So that the finder of the issue does not get bored 
> : or angry or worried that someone else will discover it and 
> : then claim full credit for it?
> 
> Why would they lean on any vendor? It is in their best 
> interest to let the vendor take as long as they want to fix an
> issue. 
> 
> Remember that they share this information with their paying 
> clients, so the longer it is "0-day", the longer it is 
> "exclusive" to 3com/clients, the more value it has. Pushing on
> a vendor to patch it faster doesn't do them near as much good
> in the end.
 
Yes, there is value in sharing it first with the paying 
customers, but there is also great value in eventually disclosing
it to the public.  Public disclosure == advertising, for both 
the vuln buyer and the vuln discoverer.  I've found that 
commercial entities who deal in 3rd party vulnerabilities usually
want to share with the public after a few weeks/months.  
Commercial entities who sell vuln audit/scanner/pen-test software
usually don't want to share all of their exploit code or 
vulnerability information though.  They want to share just enough
to get people interested in their products/services.

The only entities who may have no interest in disclosure are:

- the vendors who made and sell the vulnerable products
- people who practice non-disclosure on principle
- exploit hoarders (everybody needs a secret stash of 0-day)
- vendors who sell vuln audit/scanner/pen-test software

So, I guess we will have to wait and see exactly what 3Com
plans to do with the vuln info.

Regards,
kw
                                                          
Ken Williams ; Vulnerability Research 
Computer Associates ; 0xE2941985

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ