[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <001c01c2c7cd$25afda60$6601a8c0@rms2>
From: rms at computerbytesman.com (Richard M. Smith)
Subject: Re: Full Disclosure != Exploit Release
Paul,
It happens to me all the time. Vendors just loose track of reports of
security holes. Hell, I even forget about them sometimes. What wakes
vendors up almost a 100% of the time is a call from a press person or a
message on Bugtraq or Full-disclosure. However, I've never found it
necessary to publish exploit code to get a vendor's attention. The
public disclosure of the existence of a problem is good enough. Once
the press gets involved with an issue, vendors attitudes change
immediately.
Richard
-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of hellNbak
Sent: Wednesday, January 29, 2003 12:50 PM
To: Paul Schmehl
Cc: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Re: Full Disclosure != Exploit Release
Paul,
It is 2:30AM in my part of the world (Tokyo) I have been drinking
heavily
and I have a meeting in 4 hours. So forgive me for not posting the
exact
advisories adn exact examples but in my experiance with the various
mailing lists I have moderated, the various jobs I have held and the
various ohter interests Ihave -- I have ran into vendors willing to
eithe
rthreaten lawsuit or deny all together before they fix a vuln.
This is truly the case. Perhaps tomorrow afternoon I will send you my
specific examples.
On 29 Jan 2003, Paul Schmehl wrote:
> Date: 29 Jan 2003 10:23:23 -0600
> From: Paul Schmehl <pauls@...allas.edu>
> To: full-disclosure@...ts.netsys.com
> Subject: [Full-Disclosure] Re: Full Disclosure != Exploit Release
>
> On Wed, 2003-01-29 at 06:13, David Howe wrote:
>
> > That is of course your choice. Vendors in particular were prone to
deny
> > a vunerability existed unless exploit code were published to prove
it.
>
> I've read this mantra over and over again in these discussions, and a
> question occurs to me. Can anyone provide a *documented* case where a
> vendor refused to produce a patch **having been properly notified of a
> vulnerability** until exploit code was released?
>
> Definitions:
>
> "properly notified" means that the vendor received written
notification
> at a functional address (either email or snail mail) *and* responded
> (bot or human) so that the sender knows the message was received.
>
> "documented" means that there is proof both of proper notification
*and*
> that a patch was not released in a timely manner
>
> "timely" means within two weeks of the notification
>
> "vendor" means any company that produces publicly available software -
> open source or commercial
>
> Caveats:
>
> You cannot use a case where exploit code was released at the same time
> the vulnerability announcement was made *or* within two weeks of the
> announcement (see "timely")
>
> I'm not saying this doesn't occur. Just that it has the smell of
urban
> legend and justification for actions taken.
>
>
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
"I don't intend to offend, I offend with my intent"
hellNbak@...c.org
http://www.nmrc.org/~hellnbak
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists