lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <002001c2c7c0$6b0d30b0$c3600a3e@vex>
From: andrea.vecchio at bsc.it (Andrea Vecchio)
Subject: R: [Secure Network Operations, Inc.]FullDisclosure != Exploit Release

> Da: full-disclosure-admin@...ts.netsys.com
> 
> Good points, 
> 	One question remains however.  If we are to attach 
> exploit code to our
> advisories, how do we protect the innocent from attacks by malicious
> people using our exploit code? I honestly believe that exploits are
> digital munitions that should be distributed under 
> restrictions. Do you
> agree that a vulnerability can be clearly demonstrated in an 
> advisory by
> showing debugger output and explaining the output? If proof of concept
> code needs to be made, it could be generated from the detail in the
> advisory. Why is that not a solution? 

Sorry, but I think that full disclosure, by definition, is 
telling something without careing a think about consequences.
I'm not telling whether it's right or not, but so it is.
If we believe in full disclosure (as i do) we have (silently)
accepted that what we're saying can be used in different ways.
"full disclosure" != "exploit release", but 
"exploit release" C "full disclosure"
( C -> belongs to :)
By! A.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ