Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

full disclosure and vendor education

From: ant () NOTATLA DEMON CO UK (Antonomasia)
Date: Sat, 20 Feb 1999 23:03:57 GMT

We are not going to get anywhere in software security until suppliers
(I nearly said vendors) become more aware of the problems their code
often has.

There is a wide range of knowledge and ability among software suppliers.
The upper end has its problems; the lower end is a menace.

Many list readers work hard at eliminating security bugs from their sites
and do not look kindly on the flow of new and avoidable incoming bugs.
When you raise likely bug reports with a suppliers they can go something
like this:


   Us> We just got "foo v10" from you.  We noticed a remotely-accesible
   Us> buffer overrun reaching the stack pointer in a root-run program.
   Us> This is a security problem we'd like you to fix.


   Them> Thank you for your interest.  We are not aware of any security
   Them> issues with our industry-leading product.


With a full-disclosure archived list you have an educational resource to
lead these guys to, even if you can't make them think.

Spaf's point on making a dangerous bug known first to the public rather than
the supplier is of course a valid one.


--
##############################################################
# Antonomasia   ant () notatla demon co uk                      #
# See http://www.notatla.demon.co.uk/                        #
##############################################################
Previous By Date Next
Previous By Thread Next

Current thread: