| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: dufresne at winternet.com (Ron DuFresne) Subject: Re: it\'s all about timing [SNIP] > >Your number 6 below: > > > >"The Vendor MUST provide a facility for individuals or > > organizations who are not Customers to report vulnerabilities" > > > >This to me sounds like it is acceptable that there are going to be > >vulnerabilities. Continue cranking out shodware because we have a set > >of guidelines that people who stumble across them are expected to > >adhere to. > > Vulnerabilities will happen, even in the best of circumstances, as > long as new types of vulnerabilities are discovered. If there are 20 > individuals who decide to audit a package for a new type of > vulnerability, but the vendor only has 5 developers, then it seems > like there's a good chance that someone other than the vendor will > discover the issue. Then you've got "interaction" vulnerabilities, > which I loosely define as when a vulnerability occurs in the way that > two products interact with each other. Developers can't always > predict how their product will be used, or how it will interact with > other products, so interaction-based vulnerabilities may be around in > one form or another. But seriously, what's new about buffer overflows, which are the main cause of vunls in software now as they were in the 1980's and prior when the morris worm hit[1]. How about repeat issue with the same products, like the M$ sql server issues <not that M$ is the only vendor with products that sink time and again>? What 'new types of vulnerabilities' are being discovered? [SNIP] Thanks, Ron DuFresne [1] http://sysinfo.com/iworms.html (our shameless plug) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
Powered by blists - more mailing lists