Bugtraq mailing list archives
Re: CERT, CIAC, etc. and unethical practices
From: Catherine.Allen () uniq com au (Catherine Allen)
Date: Mon, 23 Dec 1996 10:51:52 +1100
On top of this most people I know who've handed things to the CERT(s) not only do not receive a reply, but we do not see any visible action taken even after a month or more.
If you're going to say something this inflammatory, please do mention *which* ERT/IRT you were dealing with. Having worked at AUSCERT, I can say from experience that all mail is answered. Having worked through some bug reports of this sort, I can also say that the vendors were leaned on very heavily to actually *do* something about the bug and that fixes were made available asap.
I still do not understand the CERTs' attitudes towards some full disclosure groups and many individuals who are mainly interested in getting the holes fixed and are perfectly willing/happy to cooperate with vendors and CERT(s).
Because they're the poor bunnies who have to deal with all the sites that get broken into due to published exploit scripts! (there are generally a rash of sites that get cracked directly after the publication of an exploit - then there are rashes of follow-on cracks once the sniffer logs start filling :( Personally, I consider publishing an exploit to be a sign that you are *not* willing to work with a vendor (or an IRT). In effect, an exploit script reduces the amount of time available to fix a problem to zero, which encourages quick'n'dirty patches (likely sources of yet more bugs ):
8lgm, Dave Meltzer
Who've been acknowledged in previous AUSCERT advisories... Catherine.
Current thread:
- Re: CERT, CIAC, etc. and unethical practices d (Dec 21)
- Re: CERT, CIAC, etc. and unethical practices Chris Lavin (Dec 22)
- Re: CERT, CIAC, etc. and unethical practices Joshua Daymont (Dec 22)
- <Possible follow-ups>
- Re: CERT, CIAC, etc. and unethical practices Catherine Allen (Dec 22)