lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <001c01c2c7cd$25afda60$6601a8c0@rms2>
From: rms at computerbytesman.com (Richard M. Smith)
Subject: Re: Full Disclosure != Exploit Release

Paul,

It happens to me all the time.  Vendors just loose track of reports of
security holes.  Hell, I even forget about them sometimes.  What wakes
vendors up almost a 100% of the time is a call from a press person or a
message on Bugtraq or Full-disclosure.  However, I've never found it
necessary to publish exploit code to get a vendor's attention.  The
public disclosure of the existence of a problem is good enough.  Once
the press gets involved with an issue, vendors attitudes change
immediately.

Richard

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of hellNbak
Sent: Wednesday, January 29, 2003 12:50 PM
To: Paul Schmehl
Cc: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Re: Full Disclosure != Exploit Release


Paul,

It is 2:30AM in my part of the world (Tokyo) I have been drinking
heavily
and I have a meeting in 4 hours.  So forgive me for not posting the
exact
advisories adn exact examples but in my experiance with the various
mailing lists I have moderated, the various jobs I have held and the
various ohter interests Ihave -- I have ran into vendors willing to
eithe
rthreaten lawsuit or deny all together before they fix a vuln.

This is truly the case.  Perhaps tomorrow afternoon I will send you my
specific examples.

On 29 Jan 2003, Paul Schmehl wrote:

> Date: 29 Jan 2003 10:23:23 -0600
> From: Paul Schmehl <pauls@...allas.edu>
> To: full-disclosure@...ts.netsys.com
> Subject: [Full-Disclosure] Re: Full Disclosure != Exploit Release
>
> On Wed, 2003-01-29 at 06:13, David Howe wrote:
>
> > That is of course your choice. Vendors in particular were prone to
deny
> > a vunerability existed unless exploit code were published to prove
it.
>
> I've read this mantra over and over again in these discussions, and a
> question occurs to me.  Can anyone provide a *documented* case where a
> vendor refused to produce a patch **having been properly notified of a
> vulnerability** until exploit code was released?
>
> Definitions:
>
> "properly notified" means that the vendor received written
notification
> at a functional address (either email or snail mail) *and* responded
> (bot or human) so that the sender knows the message was received.
>
> "documented" means that there is proof both of proper notification
*and*
> that a patch was not released in a timely manner
>
> "timely" means within two weeks of the notification
>
> "vendor" means any company that produces publicly available software -
> open source or commercial
>
> Caveats:
>
> You cannot use a case where exploit code was released at the same time
> the vulnerability announcement was made *or* within two weeks of the
> announcement (see "timely")
>
> I'm not saying this doesn't occur.  Just that it has the smell of
urban
> legend and justification for actions taken.
>
>

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak@...c.org
http://www.nmrc.org/~hellnbak

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ