lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1043868544.4468.149.camel@localhost.localdomain>
From: recon at snosoft.com (Strategic Reconnaissance Team)
Subject: [Secure Network Operations, Inc.] Full
	Disclosure != Exploit Release

We are considering nessus as an option. When we make our final decision
I will make it a point to send a notification message to full
disclosure.


On Wed, 2003-01-29 at 11:48, Georgi Guninski wrote:
> Personally don't care whether you release exploits or not.
> 
> But will you use nessus and such?
> Because someone filled the nessus db imho.
> 
> Georgi Guninski
> http://www.guninski.com
> 
> Strategic Reconnaissance Team wrote:
> > All, 
> > 
> > I have been following the subject of full disclosure for a while, and as
> > most of you know, have dealt with some of the issues that full
> > disclosure can cause (HP/Secure Network Operations/DMCA).  While the
> > idea of full disclosure is a good idea, and while we support it, we feel
> > that the exploit source code should not be released to everyone.
> > 
> > It is possible to prove a vulnerability exists by releasing well written
> > advisories.  Because of this fact, proof of concept code (exploit
> > source) is not a requirement for the education of the possibly
> > vulnerable. Releasing non-malicious exploit code is also not an option
> > as any local script bunny/kiddie can easily render it functional.
> > 
> > Proof of concept code is useful for legitimate contract based
> > penetration tests. It is also useful for study as it demonstrates
> > fundamental flaws computers today (not built in security). But again,
> > proof of concept code is not for everyone.
> > 
> > I am interested in hearing the opinions of the people on this list. If
> > you are for exploit source disclosure, I would like to hear arguments
> > supported by facts, that explain why.  I am equally interested in
> > reasons why not to disclose information. 
> > 
> > With that said, Secure Network Operations, Inc. will no longer be
> > releasing functional proof of concept code. We may release sufficiently
> > detailed advisories. 
> > 
> > 	
-- 
Strategic Reconnaissance Team <recon@...soft.com>
Secure Network Operations, Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030129/6e9459f2/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ