| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu Apr 27 23:38:09 2006
From: tim-security at sentinelchicken.org (Tim)
Subject: MSIE (mshtml.dll) OBJECT tag vulnerability
> Full Disclosure is a good thing and anyone involved in the security
> community should be thankful for its existence! If people actually believe
> that the 0-days posted to this list are all 100% unique.... all i can say is
> wow, you're disconnected.
Ditto.
Case study:
At least twice in the last year, myself and coworkers have found
vulnerabilities in widely-deployed software while performing pentests,
only to find someone else posted the exact same flaws before we had a
chance to. No, we didn't leak these holes, they were found
independently prior to us finding them. I imagine this happens a lot.
Notifying a vendor prior to public disclosure probably helps the public
more than it hurts, at least initially. But if one waits too long on
the vendor, someone else *will* find the hole and may decide to use it
for various nasties. Knowing what that break-even point is in delaying
disclosure involves knowing many variables that can only be estimated.
Therefore the amount you "should" wait on a vendor to disclose is very
subjective even if we all agree we should be defending the public (which
on this list, is not the case). So, why don't we stop arguing about it
and just deal with the information the best we can?
tim
PS- For those of you complaining about MZ, how long will you sit in
Microsoft's frying pan[1]? Why not get out so you don't have to
worry about it?
1. http://www.clichesite.com/content.asp?which=tip+2858
Powered by blists - more mailing lists