| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.6.66.0301291147280.9134-100000@www.nmrc.org> From: hellnbak at nmrc.org (hellNbak) Subject: Re: Full Disclosure != Exploit Release Paul, It is 2:30AM in my part of the world (Tokyo) I have been drinking heavily and I have a meeting in 4 hours. So forgive me for not posting the exact advisories adn exact examples but in my experiance with the various mailing lists I have moderated, the various jobs I have held and the various ohter interests Ihave -- I have ran into vendors willing to eithe rthreaten lawsuit or deny all together before they fix a vuln. This is truly the case. Perhaps tomorrow afternoon I will send you my specific examples. On 29 Jan 2003, Paul Schmehl wrote: > Date: 29 Jan 2003 10:23:23 -0600 > From: Paul Schmehl <pauls@...allas.edu> > To: full-disclosure@...ts.netsys.com > Subject: [Full-Disclosure] Re: Full Disclosure != Exploit Release > > On Wed, 2003-01-29 at 06:13, David Howe wrote: > > > That is of course your choice. Vendors in particular were prone to deny > > a vunerability existed unless exploit code were published to prove it. > > I've read this mantra over and over again in these discussions, and a > question occurs to me. Can anyone provide a *documented* case where a > vendor refused to produce a patch **having been properly notified of a > vulnerability** until exploit code was released? > > Definitions: > > "properly notified" means that the vendor received written notification > at a functional address (either email or snail mail) *and* responded > (bot or human) so that the sender knows the message was received. > > "documented" means that there is proof both of proper notification *and* > that a patch was not released in a timely manner > > "timely" means within two weeks of the notification > > "vendor" means any company that produces publicly available software - > open source or commercial > > Caveats: > > You cannot use a case where exploit code was released at the same time > the vulnerability announcement was made *or* within two weeks of the > announcement (see "timely") > > I'm not saying this doesn't occur. Just that it has the smell of urban > legend and justification for actions taken. > > -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "I don't intend to offend, I offend with my intent" hellNbak@...c.org http://www.nmrc.org/~hellnbak -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Powered by blists - more mailing lists