| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050630173657.GU24368@techometer.net> Date: Thu, 30 Jun 2005 10:36:57 -0700 From: Erick Mechler <emechler@...hometer.net> To: Joachim Schipper <j.schipper@...h.uu.nl> Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Re: Publishing exploit code - what is it good for :: Blackhats may get along with only a handful of exploits, if they're :: willing to try to find targets to match their collection, but a :: pentester should have the collection to match the target. :: :: This is doubly true if we're not talking about a dedicated pentester, :: but about a sysadmin with a networking/security background who likes to :: verify that the patches did, indeed, work. To that I say let the people producing the patches deliver the exploit code as a POC that the patches did, indeed, work. Releasing exploit code before the patch is released helps nobody except the blackhats. :: Also, exploits will be distributed, publicly or otherwise - doing it in :: the open means we know what happens when. You should, as an admin, assume that once a vulnerability is released, the exploit has been too, whether you see it attached to the vuln announcement or not. Cheers - Erick _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists