[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3E383A1C.4060209@thievco.com>
From: BlueBoar at thievco.com (Blue Boar)
Subject: [Secure Network Operations,
Inc.] Full Disclosure != Exploit Release
Strategic Reconnaissance Team wrote:
> Very good points. I've considered most of these and they all make
> sense. As far as corporate politics are concerned, don't you think that
> exploit disclosure could hurt vendor relationships? Granted, we are not
> going to make our decision on that premise but it would be a nice thing
> to avoid.
Given what I know about your business model (which, I understand, is you
research or acquire vulnerabilities, notify the vendor, and see if they are
intersted in consulting work) then no, they would probably not want to see
the exploits released publicly. The vendor would probably like to have the
exploit themselves, but not have it made public.
One problem with anyone making private exploits is that they always seem to
get leaked, no matter who it is. I don't know if that is pro or con for
releasing public exploit, but it's something to keep in mind if there is a
concern about the exploit "getting out."
Naturally, if someone writes an exploit, they can do whatever they want
with it. I think there are several business models where it absolutely
makes sense from a business perspective to not release exploits. With
yours, it may make sense to not release exploits. For scanner vendors, it
absolutely makes sense for them to not release exploits (to the public, for
free, I mean. Not all of them, anwyay.)
My main concern is that a climate not develop such that people who wish to
release exploits cannot do so, because all the big guys who can stand up
for themselves have quit doing so, and the little guys can be threatened
back into the underground.
BB
Powered by blists - more mailing lists