Bugtraq mailing list archives
Re: UnixWare
From: c617666 () sgi7 phlab missouri edu (Paul Walmsley)
Date: Sat, 30 Apr 1994 17:54:57 -0500 (CDT)
On Sat, 30 Apr 1994, Gene Spafford wrote:
No, but I had thought they had advertised themselves as a worthwhile place to report them, and my perception, and apparently that of many other people here, is that this is not the case.It depends on your definition of "useful." If it is defined as "gets the bug reports to all the vendors without also disclosing it to any real or potential bad guys in the process; follows up the report to make sure that the vendors are maybe working on it; and then provides a wide-ranging, trusted announcement method to alert people when the fixes are available" then it *is* worthwhile.
I think you're being pretty naive in assuming that telling only the vendors avoids "disclosing it to any real or potential bad guys." Not only might there be "bad guys" at the vendor, but it's also quite possible that the "bad guys" were the first to discover the hole and are running around happily exploiting it while CERT waits to "make sure that the vendors are maybe working on it." -Paul
Current thread:
- Re: UnixWare, (continued)
- Re: UnixWare Marc W. Mengel (Apr 29)
- Re: UnixWare Daniel R Ehrlich (Apr 28)
- Re: UnixWare Perry E. Metzger (Apr 28)
- Re: UnixWare smb () research att com (Apr 27)
- Re: UnixWare Carl Corey (Apr 28)
- Re: UnixWare Bennett Todd (Apr 28)
- Re: UnixWare Icarus Sparry (Apr 28)
- Re: UnixWare Bennett Todd (Apr 28)
- Re: UnixWare Carl Corey (Apr 28)
- Re: UnixWare der Mouse (Apr 29)
- Re: UnixWare Gene Spafford (Apr 30)
- Re: UnixWare Paul Walmsley (Apr 30)
- Re: UnixWare Gene Spafford (Apr 30)