[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <5062B89B.40009@security-explorations.com>
Date: Wed, 26 Sep 2012 10:11:07 +0200
From: Security Explorations <contact@...urity-explorations.com>
To: Chris Evans <scarybeasts@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [SE-2012-01] Critical security issue
affecting Java SE 5/6/7
On 2012-09-26 01:30, Chris Evans wrote:
> I don't see any details?
> This list is "full disclosure", not "touch self in public".
Our Disclosure Policy [1] is somethings in-between Full Disclosure
and Responsible Disclosure. It has certain advantages such as the
ability to carry an early warning to the public regarding security
risks identified in a given software / technology. Due to our "old
fashioned" approach to communication (we don't tweet, blog, etc.),
we carry these warnings by the means of sending posts to Bugtraq
and Full Disclosure mailing lists. I am not sure if you remember
these times, but these lists for long years have been the premier
source of information for many with respect to security weaknesses,
attacks and exploitation techniques.
So far, all of our Oracle Java SE findings have been confirmed by the
vendor (this includes Issue 50 announced yesterday). Vendors that
avoided or neglected to do so always faced the risk of having their
issues disclosed without any warning [2].
These are the lists moderators, not you that decide what content gets
accepted to Bugtraq / Full Disclosure mailing lists. If you disagree,
I do suggest that you contact proper list moderator and continue your
discussion with him.
We will continue our way of conducting security research and disclosure
process regardless of your or others voice of objection. We simply do
believe in our cause.
As for the actual disclosure of the 50 Java issues we uncovered in
Oracle's Java SE, IBM Java and Apple QuickTime for Java, we plan to
publish technical vulnerabilities details as first indicated in our
FAQ [3] in Apr 2012. If you expected that we would publish the details
now and put an estimate number of 1 billion of desktop Java users at
risk, then I suggest you ask your employer what the company thinks
about the value of doing so.
Thank you.
--
Best Regards,
Adam Gowdiak
---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------
References.
[1] Security Explorations, Disclosure Policy
http://www.security-explorations.com/en/disclosure-policy.html
[2] SE-2012-01 Press Info (2)
http://www.security-explorations.com/en/SE-2012-01-press2.html
[3] SE-2012-01 Frequently Asked Questions
http://www.security-explorations.com/en/SE-2012-01-faq.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists