| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Mar 2011 09:46:44 -0500 From: R Michael Williams <rmwstealth@...cast.net> To: Michal Zalewski <lcamtuf@...edump.cx> Cc: "J. Oquendo" <sil@...iltrated.net>, Luigi Auriemma <aluigi@...istici.org>, "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com> Subject: Re: Vulnerabilities in some SCADA server softwares While I support full disclosure, I also advocate responsible disclosure. The public _has_ a right to know, but in this case, they can play no significant part in remedy or mitigation unless they are employees of the vendor or the customer. I believe the best course of action for a SCADA vulnerability would be to let the vendor know first, let them know you intend to disclose publicly after a reasonable time, then release to the potential customers in a responsible time thereafter, and finally the public (admittedly could be very arbitrary per researcher). This way you can hopefully get the fix started and let the security-conscious vendor notify customers how to defend in the interim for defense purposes _before_ you let a potential attacker in on the problem. Just my $0.02... Sent from my mobile launching platform... On Mar 22, 2011, at 16:24, Michal Zalewski <lcamtuf@...edump.cx> wrote: >> Analogy: Car owner has his car speed up ending up in almost near >> catastrophe. Car owner goes to media outlets condemning the >> manufacturer: "How could you be so reckless! Thousand of lives..." >> Reality: Car manufacturer was never made aware of the issue. How do you >> propose a manufacturer fix an issue? > > Yes, the discussion definitely needed a car analogy... > > The author decided to follow a particular route, probably not out of > malice, but because he believes that his responsibilities to inform > the public outweigh the responsibility to assist the vendor. You > wouldn't do the same, but you haven't discovered these bugs. > > Unless your view is that you would rather not know about about > security problems at all, than see a disclosure mode you do not agree > with, I do not think it's fair to lash out against the reporter; and > it's not particularly fitting to do so on BUGTRAQ. > > /mz
Powered by blists - more mailing lists