[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3E3805F6.6050209@guninski.com>
From: guninski at guninski.com (Georgi Guninski)
Subject: [Secure Network Operations, Inc.] Full Disclosure
!= Exploit Release
Personally don't care whether you release exploits or not.
But will you use nessus and such?
Because someone filled the nessus db imho.
Georgi Guninski
http://www.guninski.com
Strategic Reconnaissance Team wrote:
> All,
>
> I have been following the subject of full disclosure for a while, and as
> most of you know, have dealt with some of the issues that full
> disclosure can cause (HP/Secure Network Operations/DMCA). While the
> idea of full disclosure is a good idea, and while we support it, we feel
> that the exploit source code should not be released to everyone.
>
> It is possible to prove a vulnerability exists by releasing well written
> advisories. Because of this fact, proof of concept code (exploit
> source) is not a requirement for the education of the possibly
> vulnerable. Releasing non-malicious exploit code is also not an option
> as any local script bunny/kiddie can easily render it functional.
>
> Proof of concept code is useful for legitimate contract based
> penetration tests. It is also useful for study as it demonstrates
> fundamental flaws computers today (not built in security). But again,
> proof of concept code is not for everyone.
>
> I am interested in hearing the opinions of the people on this list. If
> you are for exploit source disclosure, I would like to hear arguments
> supported by facts, that explain why. I am equally interested in
> reasons why not to disclose information.
>
> With that said, Secure Network Operations, Inc. will no longer be
> releasing functional proof of concept code. We may release sufficiently
> detailed advisories.
>
>
Powered by blists - more mailing lists