lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <226A79C4618AD945B527EA7F475EA2C65B8D68@atlmaiexcp01.iss.local>
From: dsi at iss.net (Ingevaldson, Dan (ISS Atlanta))
Subject: Information Week: 2/3 of pros want immediate disclosure

Figures lie and liars figure.  It's all in the way the question was
phrased:

"When should software vendors disclose software vulnerabilities to their
customers?" This was the wording in the InfomationWeek article that
Steve posted.  66% said "immediately".  

What would the results look like if you asked a loaded question that
leaned in the other direction?

"Should software vendors disclose information about software
vulnerabilities to the global hacking community at the same time as all
their customers who haven't yet implemented a working patch management
process?"

I imagine the results would be slightly different.  Take this study with
a grain of salt.

------------------
Daniel Ingevaldson
Director, X-Force R&D/PSS
dsi@....net 
404-236-3160
 
Internet Security Systems, Inc.
Ahead of the Threat
http://www.iss.net
 

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Ron
DuFresne
Sent: Thursday, July 08, 2004 12:04 PM
To: Steven M. Christey
Cc: Full-Disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Information Week: 2/3 of pros want
immediate disclosure


Which adds to the full disclosure debate a resounding, disclose asap.
And shows that many in the industry feel this is needed to not only
address issues in their envs as quickly as possible to mitigate problems
until a fix/poatch is available, but, that most feel dicslosure puts the
pressure on their vendors to respond to issues as they become discolsed.

Thanks,

Ron DuFresne

On Wed, 7 Jul 2004, Steven M. Christey wrote:

>
> Information Week just posted an article titled "Disclosure: Security 
> Pros Want Flaw Information Sooner" in which they surveyed 7,000 
> business technogology and security professionals.  66% argued for 
> immediate disclosure upon discovery, and another 32% wanted disclosure

> once a patch was available, leaving only 2% who said that there was no

> need to disclose vulnerabilities at all:
>
>   
> http://www.informationweek.com/story/showArticle.jhtml?articleID=22103
> 495
>
> - Steve
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
	***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ