lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTimsKhyNtcyby04qVuz4kpsGESaJejdADz1kPe5C@mail.gmail.com>
Date: Sun, 7 Nov 2010 22:05:34 -0500
From: Jeffrey Walton <noloader@...il.com>
To: Michal Zalewski <lcamtuf@...edump.cx>
Cc: "Full Disclosure \(full-disclosure@...ts.grok.org.uk\)"
	<full-disclosure@...ts.grok.org.uk>,
	"Bugtraq \(bugtraq@...urityfocus.com\)" <bugtraq@...urityfocus.com>
Subject: Re: some ooold Juniper bugs (was: ZDI-10-231:
 Juniper Secure Access Series meeting_testjava.cgi XSS Vulnerability)

On Sun, Nov 7, 2010 at 7:57 PM, Michal Zalewski <lcamtuf@...edump.cx> wrote:
> This reminded me of a bunch of problems I spotted in Juniper SSL VPN a
> while ago; they are apparently fixed, but I don't recall seeing any
> public vendor advisory / credit for reporting them - so here you go,
> even if just for the record...
My impressions and experience: (1) some companies don't want to know
of problems in their software; (2) some companies don't want to fix
the reported problems in their software because the remainder of their
house of cards becomes unstable; (3) other companies want to know, but
don't want to publicly acknowledge the defect or offer credit; and (4)
a small number of companies want to know so they can fix and offer
credit.

Unfortunately, my observations seem to indicate very few companies
fall under (4). And my personal experience with software vendors
developing antivirus, firewall and other security software:
approximately 150 defects reported in 20 vendors. Only Symantec
published an advisory and offered credit.

And the political spin: companies get away with shipping broken
software and residing in (1) and (2) above because there are no
software liability laws, even though software enjoys intellectual
property protection. Reason: In America, corporate America bribes the
legislature (err, makes 'PAC contributions').

>
> [SNIP]
>

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ