lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <21578.1186526965@turing-police.cc.vt.edu>
Date: Tue, 07 Aug 2007 18:49:25 -0400
From: Valdis.Kletnieks@...edu
To: Jared DeMott <demottja@....edu>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Right, or wrong?

On Tue, 07 Aug 2007 17:46:51 EDT, Jared DeMott said:
> vendor.  I was thinking that this would be ideal since the vendor would
> have the most interest in knowing about/fixing the bug.

That's a dubious statement at best.

What a commercial vendor is interested in is minimizing their *total cost*
of providing whatever level of security they do.  As a result, unless the
bad press starts impacting product sales, the *best* stance is "stick head
in sand and pretend it's bulletproof".  Second best is "issue lots of press
releases saying we're dedicated to security".  Actually spending the big bucks
to make the product secure is a *distant* third.

And the instant they actually *buy* a byg report, they've lost all semblance
of plausible deniability.  "D'Oh! somebody reported it in our bugzilla but we
overlooked it" doesn't work if you've obviously *not* overlooked it to the
point of writing the submitter an actual check.

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ