| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1074609615-1110662431-cardhu_blackberry.rim.net-15160-@engine55> From: jasonc at science.org (Jason Coombs) Subject: Reuters: Microsoft to give holes info to UncleSam first - responsible vendor notification may not be a goodidea any more... Anyone really interested in getting zero day exploits to use for evil purposes has always known that the second best way to do that, right after hiring a black hat to find them, is to intercept priority communications between people who respond to ?responsible disclosure? incidents. Microsoft cannot control the spread of vulnerability exploit information. Everyone can defend against a serious threat if they know it exists, whether or not there is a vendor patch, third-party security product, or workaround remediation/defensive configuration possible. ?Responsible disclosure? has never been responsible. It has always been a clever manipulative tool to expand the economic importance of certain people's business agendas. Just look at where the founders of ?responsible disclosure? have gone today... The only fair disclosure policy is full disclosure. Regards, Jason Coombs jasonc@...ence.org
Powered by blists - more mailing lists