| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3E39A551.6060600@guninski.com> From: guninski at guninski.com (Georgi Guninski) Subject: CERT, Full Disclosure, and Security By Obscurity Ben Laurie wrote: > Len Rose wrote: > >> With the recent evidence that CERT informed it's paying members about >> the Sapphire SQL worm before the rest of the world should now indicate >> that they too are not a useful resource for timely and open security >> information. > > > This is news why? CERT told me that is what they wanted to do when I > was, errm, in dispute with them over timing of the release of the > OpenSSL holes last year. I believe I mentioned it at the time. > > That's one reason I won't pre-notify CERT (or, indeed, anyone else > [other than the vendor]) anymore. > According to: http://www.businessweek.com/technology/cnet/stories/982663.htm ".....But Litchfield said he felt "a betrayal of trust" because CERT had "leaked (the information) to certain organizations and government departments" before passing it on to IT workers...." There was more interesting article on eweek yesterday. Recently when I notified some vendors about a vulnerability, I wrote something like a license agreement that the info should not be disclosed to m$, cert, mitre, sf and others. Georgi
Powered by blists - more mailing lists