| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <021e01c333f9$6a77df60$c71121c2@exchange.sharpuk.co.uk> From: DaveHowe at gmx.co.uk (Dave Howe) Subject: SRT2003-06-12-0853 - ike-scan local root format string issue easctun wrote: > Just out of curiosity, is the below considered Full Disclosure? When > a user has to write the auther for PoC code or further information? Yes, it is. we may not like it - but it is the absolute right of the finder to release as much or as little of the exploit and/or advisory as they want to, when they want to (bearing in mind reasonable notification of the vendor of course) Any finder is as entitled to post "bug found, vendor $VENDOR notified, details may follow later" as a disclosure; obviously, that will impact both their credibility and the ability of scanner authors (for instance nessus plugins) to add pattern checkers for that bug, but as long as they aren't spreading FUD they are fine (forcing more disclosure is as pro-censorship as preventing a fuller disclosure :)
Powered by blists - more mailing lists