Re: Half Disclosure

[Dave Aitel <dave () immunitysec com>]

halvar () gmx de wrote:

> Honestly, I think a mailing list where advisories with targets but no 
> details are posted
> would be hilarious,

This is basically what bugtraq has turned into, I think. It's what Weld 
and Microsoft were pushing for with the OIS, and to some extent they've 
partially succeeded. It's also interesting to note the lack of people 
posting to Securityfocus mailing lists these days. For me the funny 
thing is how people always assume they're the first people to find a 
bug. Waiting three months until you release technical details is moot if 
every likely target was owned years ago.


> and so would be a mailing list with exploits minus targets. 

How would one go about doing this? Obfuscated code? I guess it's easier 
for client side bugs: "Here is an HTML page that owns something in some 
configuration." I guess it's possible for certain remote bugs too. This 
would definately rock. Feel free to do it here. :>

> Alternatively,
> I kinda like the idea of a mailing list where one can post hashes of 
> textfiles explaining
> a vulnerability. Once the vulnerability is discovered elsewhere (or 
> just fixed accidentally), the
> full text can be posted. This would allow for some very interesting 
> estimates on how long
> bugs are known before they get fixed, without actually disseminating 
> the bugs.

deff2b2c54d0ab382002698229c98be6 . This one just got fixed. I'm not sure 
if I'm going to release it or not. :>

Dave Aitel
Immunity, Inc.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave