[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200704251854.l3PIsnTk022522@faron.mitre.org>
Date: Wed, 25 Apr 2007 14:54:49 -0400 (EDT)
From: "Steven M. Christey" <coley@...re.org>
To: bugtraq@...urityfocus.com
Subject: Re: 3Com's TippingPoint Denial of Service
Simple Nomad said:
>A series of evil packets will cause me to have remote root access to
>Windows, Linux, and MacOS/X. Due to the nature of the vulnerability, I
>will not be releasing any details. In fact, it is so secret even *I*
>don't know the details, but I am *positive* that when I see someone
>else post my work, I should get full credit, right?
Great point.
Seriously, though - this is becoming a big problem on these lists. If
you don't post details, *and* you don't coordinate with the vendor,
then you have provided ZERO actionable information, not to mention
causing confusion when some details do come out in later disclosures -
is it the same issue or not? Are customers protected or not?
It's not just disclosures by unknown parties, either - some great
examples of this are the GLEG and Immunity pay-to-play disclosures
that don't include any vendor notification. For example, a GLEG
proFTPd report caused no end of havoc for all parties concerned,
including the Linux distros themselves, although at least there was a
back-reference to make the connection, which is still pretty rare for
a vendor. And there's also some difficulty in handling disclosures
with a grace period in products whose vendors do not provide credits,
as happens with NGS Software sometimes.
Lately, CVE has started taking the approach that if there's no
actionable information, *and* the researcher is not known to be
reliable, then the reports amount to little more than rumors until
proven otherwise. We assume (perhaps mistakenly) that reliable
researchers have done their homework and are reporting new issues.
Vulnerability information is noisy enough as it is without adding
vague, unactionable claims into the mix.
- Steve
Powered by blists - more mailing lists