| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <42CC1563.40109@alt.net> Date: Wed Jul 6 18:41:37 2005 From: nop at alt.net (Lionel) Subject: Re: Publishing exploit code - what is it good for Aviram Jenik wrote: > What I need is a security administrator, CSO, IT manager or sys admin that can > explain why they find public exploits are good for THEIR organizations. Maybe > we can start changing public opinion with regards to full disclosure, and > hopefully start with this opinion leader. Speaking with my sysadmin, netadmin & (sometimes) IT manager hats on, the reason *I* value full-disclosure security reports is simply because of the business politics involved in dealing with security issues at a company level. It's much, *much* easier to convince a CEO/CIO to allocate urgent resources (in both labour & funding) to deal with a *proven*, security vulnerability, than to a 'theoretical' security issue. And another business slant on this is that it's better to be one of millions of organisations being threatened by a well-documented, publically-known exploit that'll probably be patched by the software vendor or neutralised by the anti-virus companiess in a few days, than to be one of a few dozen organisations targetted by professional extortionists with *unreported* vulnerabilities in their toolkit, for which you have zero knowledge, & against which you are helpless.
Powered by blists - more mailing lists