lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <200301291707.h0TH7es03117@web186.megawebservers.com>
From: http-equiv at malware.com (http-equiv@...ite.com)
Subject: Re: Full Disclosure != Exploit Release


<!-- Paul Schmehl wrote:

On Wed, 2003-01-29 at 06:13, David Howe wrote:

> That is of course your choice. Vendors in particular were prone to 
deny
> a vunerability existed unless exploit code were published to prove 
it.

I've read this mantra over and over again in these discussions, and a
question occurs to me.  Can anyone provide a *documented* case where a
vendor refused to produce a patch **having been properly notified of a
vulnerability** until exploit code was released? -->

It is accurate. Even providing the most detailed step-by-step 
instructions to the vendor can yield a blank stare and a request for 
working demonstration. Once submitted, the vendor disappears.  
Thereafter you publish both the detailed step-by-step and the working 
demonstration because you never hear back from the vendor. Or if you 
do hear back, it has been determined by them "not to be an issue".

Happens all the time.



-- 
http://www.malware.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ