[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <002001c2c7c0$6b0d30b0$c3600a3e@vex>
From: andrea.vecchio at bsc.it (Andrea Vecchio)
Subject: R: [Secure Network Operations, Inc.]FullDisclosure != Exploit Release
> Da: full-disclosure-admin@...ts.netsys.com
>
> Good points,
> One question remains however. If we are to attach
> exploit code to our
> advisories, how do we protect the innocent from attacks by malicious
> people using our exploit code? I honestly believe that exploits are
> digital munitions that should be distributed under
> restrictions. Do you
> agree that a vulnerability can be clearly demonstrated in an
> advisory by
> showing debugger output and explaining the output? If proof of concept
> code needs to be made, it could be generated from the detail in the
> advisory. Why is that not a solution?
Sorry, but I think that full disclosure, by definition, is
telling something without careing a think about consequences.
I'm not telling whether it's right or not, but so it is.
If we believe in full disclosure (as i do) we have (silently)
accepted that what we're saying can be used in different ways.
"full disclosure" != "exploit release", but
"exploit release" C "full disclosure"
( C -> belongs to :)
By! A.
Powered by blists - more mailing lists