lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <A5489930-A55E-11D6-AE69-000393779ABA@sackheads.org>
From: cerebus at sackheads.org (Timothy J.Miller)
Subject: it's all about timing

On Wednesday, July 31, 2002, at 04:26 PM, Florin Andrei wrote:

>  							But every security problem
> (especially when it's accompanied by an exploit) should be reported
> first to the vendor! There should be no exception from this rule. The
> person doing the reporting should give the vendor a reasonable period of
> time to fix it; say, a few weeks or so.

I can't agree.  In my day job I maintain systems for a defense agency, 
and I *have* to know what my exposures are *at all times*, whether a fix 
exists or not, since lives can be dependent (directly or indirectly) on 
the availability and integrity of my systems.

Without this information, I can't mitigate my risk.  Leaving *my* risk 
in the hands of a vendor-- who has a vested interest in *not* letting me 
know-- is wrong.

-- Cerebus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ