[<prev] [next>] [day] [month] [year] [list]
Message-ID: <DEDFD939A181F94AAF3D965C58B7AADC01FCE461@001fntcex01.fnb.fnni.com>
Date: Wed Jul 27 21:37:40 2005
From: mmadison at fnni.com (Madison, Marc)
Subject: Our Industry Is Seriously Ethics Impaired
>There are some issues here I don't know if 3com has reviewed them all.
But they are really putting themselves in
>a policing action, where I don't think that this community or the IT
industry would be willing to accept.
It's not 3COM, it's "tipping point" a division of 3com, that (oh go
figure) sells IPS systems. Now why would a IPS vendor want 0day? :)
>-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of DAN
MORRILL
Sent: Wednesday, July 27, 2005 1:16 PM
To: measl@....org; full-disclosure@...ts.grok.org.uk
Subject: RE: [Full-disclosure] Our Industry Is Seriously Ethics Impaired
Interesting concept,
Brings in mind though the last conversation on this list about Oracle
taking two years to develop a patch (even if it was one character in one
line of code).
So is 3com willing to lean on Oracle or Microsoft, or Real, or anyone
else to get the patch done in a reasonable time frame? So that the
finder of the issue does not get bored or angry or worried that someone
else will discover it and then claim full credit for it?
There are some issues here I don't know if 3com has reviewed them all.
But they are really putting themselves in a policing action, where I
don't think that this community or the IT industry would be willing to
accept.
I could see CERT doing this, but not 3com.
Thanks!
r/Dan
Sometimes MSN E-mail will indicate that the mesasge failed to be
delivered.
Please resend when you get those, it does not mean that the mail box is
bad, merely that MSN mail is over worked at the time.
>From: "J.A. Terranson" <measl@....org>
>To: Full-Disclosure <full-disclosure@...ts.grok.org.uk>
>Subject: [Full-disclosure] Our Industry Is Seriously Ethics Impaired
>Date: Tue, 26 Jul 2005 21:56:45 -0500 (CDT)
>
>
>Yet another voice baying at the moon.
>
>--
>Yours,
>
>J.A. Terranson
>sysadmin@....org
>0xBD4A95BF
>
>
>"A stock broker is someone who handles your money until its all gone."
>Diana Hubbard (of Scientology fame)
>
>-----------------------------------------------------------------------
>
>http://informationweek.com/story/showArticle.jhtml?articleID=166402192
>
>3Com Rewards 'Responsible' Disclosure Of Security Flaws July 25, 2005
>EMAIL THIS ARTICLE
>PRINT THIS ARTICLE
>DISCUSS THIS ARTICLE WRITE TO AN EDITOR
>
>
>
>The company is planning to reward security researchers who reveal
>information on newly discovered vulnerabilities.
>By John Walko
>EE Times
>
>
>
>LONDON . Data networking group 3Com is planning to reward security
>researchers who reveal information on newly discovered vulnerabilities
as
>part of an initiative run by its TippingPoint division.
>
>The so called .Zero Day Initiative. is aimed at ensuring the
'responsible'
>disclosure of security flaws in order to make technology more secure
for
>all users. The goal is to proactively protect businesses against newly
>discovered vulnerabilities.
>
>According to 3Com, many security researchers want to be recognized for
>their discovery, but they don't always achieve that in a responsible
>manner. Instead, and all too often, they post the potentially harmful
>information publicly, catching businesses and vendors off-guard and
>unprotected.
>
>The initiative will recognize researchers for the discovery when the
>vulnerability is publicly disclosed with the vendor's patch.
>
>3Com will notify affected vendors of security flaws so they can
>immediately begin working on a solution, most often in the form of a
>patch. The vulnerabilities will only be disclosed publicly once the
>affected vendor is able to offer a solution to end users, mitigating
the
>threat.
>
>Providing pre-emptive protection will be done through 3Com subsidiary
>TippingPoint.s Digital Vaccine service.
>
>The company stressed it would share vulnerability details freely with
>other security vendors prior to public disclosure.
>
>3Com CTO Marc Willebeek-LeMair said the initiative would ultimately
>benefit everyone in the industry: security and technology vendors,
>security researchers and end users.
>
>Vulnerabilities enable attackers to gain control of a system for
malicious
>purposes. They can also result in worms or Denial of Service attacks,
>which can bring down entire networks.
>
>Zero day disclosure occurs when the discoverer of the vulnerability
>discloses the flaw to the public without notifying the vendor, putting
>businesses at risk from the time of disclosure until the affected
vendor
>issues a patch. It can take vendors weeks or months to supply a patch.
>
>David Endler, Director of Security Research for 3Com's TippingPoint
>division, said: "This program will extend our research organization
even
>further, and enable us to tap some of the most brilliant minds in the
>global security research community..
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's
FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists