| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: guninski at guninski.com (Georgi Guninski) Subject: Re: David Litchfield talks about the SQL Worm in the Washington Post David Litchfield wrote: ..snip... > With this in mind I am questioning the benefits of publishing proof of > concept code. I am due to present a paper on the remotely exploitable buffer > overrun in the Microsoft Locator service at Blackhat this February but > should I then also publish the code used to demonstrate the problem? Should > I even be discussing the problem in a public arena? > > Some will argue that full disclosure is a good thing. Others will abhor it. > There is no one correct answer - it must be a personal decision and for the > moment I am undecided. > So Litchfield, snosoft and others are "uncertain" whether they should disclose PoC, seems because of a worm. Does this impact the availability of PoC for bugs in the past month? I think the answer is clearly "no" - cf "[Full-Disclosure] locator exploit" and "[Full-Disclosure] Exploit for CVS double free() for Linux pserver". IMHO this proves the author not releasing PoC does not impact significantly the availability of the exploit (there are more examples in the past year). Which reminds me of a poem by an author I can't remember which is taught in .bg schools - "I fell, another one comes in my place, what the fsck does one person matter" (very roughly translated to english, don't remember exactly even the .bg version). Georgi Guninski http://www.guninski.com
Powered by blists - more mailing lists