| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 12 Jan 2015 14:20:24 -0800 From: Tim <tim-security@...tinelchicken.org> To: Brandon Perry <bperry.volatile@...il.com> Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: Re: [FD] McAfee ePolicy Orchestrator Authenticated XXE and Credential Exposure Hi Brandon, > I always assume if I have > found a vulnerability, someone else has found it as well. Yes, you should. For those out there who don't routinely find vulnerabilities, it is hard for them to understand that these issues aren't hard to find if you know what you're looking for. Quite a few bugs I've found in the past have been found by others independently and published before I got around to it. It happens a LOT more than people think. Also, I think companies that sell security software should be held to a higher standard when it comes to fixing bugs. What's the point in buying security "solutions" if those solutions make you more vulnerable? If they currently can't turn around fixes for vulnerabilities quickly, then they can: A. Invest more in their release cycle so new releases can be put out much more quickly. B. Invest more in up-front security testing and Q/A, so they aren't shipping vulnerable code to begin with. C. Do both A and B Preventing these bugs isn't black magic. It isn't rocket surgery. It's just a matter of getting business leaders to care about shipping quality code. tim _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists