lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <08DB0CA58DD08049AF4DE785EC2A857F0455F17B@cs17mail.bestbuy.com>
From: Richard.Scott at BestBuy.com (Scott, Richard)
Subject: RE: it's all about timing

<snip>
Only if the vendor does nothing in these weeks, only then the
report/exploit/whatever should be made public.
<snip>

[RS] For those on the FULL DISCLOSURE list you can read the full thread on
Bugtraq.  The exploit is not the problem, it is truly related to the fact
that vendors must notify clients directly if a vulnerability is found.
Just because a security hole has been discovered does not mean other factors
can not be used to mitigate risk.

<snip>
If hacker H writes a comment on Slashdot, making public an exploit
against some software made by vendor V, and does not notify V in advance
(say, 2...4 weeks in advance), and then V sues H, then who's right?
<snip>
 
[RS] If the vendor was aware for 2-4 weeks and failed to notify it's
clients, yes.  


Richard Scott
INFORMATION SECURITY
Tel: (001) -952-324-0697
Fax: (001) -952-996-4830
Best Buy World Headquarters
7075 Flying Cloud Drive
Eden Prairie, MN 55344 USA

The views expressed in this email do not represent Best Buy
or any of its subsidiaries




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ