lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 30 Jun 2005 11:18:52 -0700 From: Skip Carter <skip@...geta.com> To: Aviram Jenik <aviram@...ondsecurity.com> Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Re: Publishing exploit code - what is it good for > I recently had a discussion about the concept of full disclosure with one of > the top security analysts in a well-known analyst firm. Their claim was that > companies that release exploit code (like us, but this is also relevant for > bugtraq, full disclosure, and several security research firms) put users at > risks while those at risk gain nothing from the release of the exploit. > reluctant. Their claim was that based on their own work experience, a > security administrator does not have a need for the exploit code itself, and > the vendor information is enough. The analyst was willing to reconsider their I think its a question of what the role of the 'security administrator' is within the enterprise. If their job is primarily threat evaluation and appropriate patching/updating in response, then I agree that the publication of an exploit is not very helpful. If, however, the job is firewall/IDS management or incident investigation, then having access to actual exploit code is extremely valuable to have. -- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Network Security Services email: skip@...geta.net 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.net/ Monterey, CA. 93940 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists