lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20040526200439.GA13358@tempest.stormcenter.net>
From: live4java at stormcenter.net (Mister Coffee)
Subject: Re: Cisco's stolen code

Jason,

Your middle of the road approach is probably the best.  Proper advisory release process would have "us" notify the vendor of a code flaw and give them time to respond and post an advisory before releasing a sploit or advisory to the wild ourselves.  Timeframe would depend on the severity, and it would probably be fine to give people a heads up on the issue. 

(Without being overly specific.  e.g. "There's a potentially bad bug in IOS.  Vendor's been notified.  Enable "STOP_EVIL_HAXOR" to mitigate the threat.  Vendor will release details.")

I'm not sure it came across in my post, but for discussion's sake I was assuming the advisory was being released with the honest intention of protecting infrastructure, rather then as an attempt to gain glory.

Cheers,
L4J

On Wed, May 26, 2004 at 12:52:06PM -0400, Jason Weisberger wrote:
> I think the line needs to be drawn somewhere in the middle.  Using
> stolen Cisco code to find vulnerabilities in their software and
> publishing advisory notices based on stolen code is unethical.  A common
> middle-ground would be to inform the company and not publish the
> advisory.  In this way, the company can release it's own advisory and
> will probably let you go unchecked.  If it's fame and fortune you're
> looking for, then release the advisory while realizing the risk of being
> sued by Cisco for posession of their intellectual property.
> 
> I suggest being humble.
> 
> Jason Weisberger
> http://www.csrev.com
> 
> Mister Coffee wrote:
<long assed thread snipped>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ