RE: Open Source vs. Closed Source [ was Re: Firewall Thr oughput ]

["Domenico De Vitto" <dom () devitto demon co uk>]

Possibly, or maybe the motive is more stick than carrot.

Beat the vendor, and maybe his next realise will spend more on testing
than marketing.

Generally, if the vendor thinks that 4-5 weeks is a 'reasonable' time
to produce a fix (like one popular OS vendor) then, it's possible that
spontaneous release of the information will positively effect that opinion.

Alternatively, if you wait 6 weeks, then post, you may foster an attitude
of 'only fix problems when and _if_ they significantly effect new sales'.

Dom

-----Original Message-----
From: firewall-wizards-admin () nfr net
[mailto:firewall-wizards-admin () nfr net]On Behalf Of Graham, Randy (RAW) 
Sent: 18 September 2000 16:43
To: 'firewall-wizards () nfr net'
Subject: RE: Open Source vs. Closed Source [ was Re: [fw-wiz] Firewall
Thr oughput ]


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I can't see how reporting to the various repositories first can in
any way help.  You have to at least give the vendor an opportunity to
fix it before you make a public disclosure, don't you?  I mean, if
you report it to the various lists first, you've just given criminal
hackers another attack venue without any chance of a quick fix from
the vendor.  If you report it to the vendor first, you at least give
a _chance_ that a patch can be made available when you post to the
lists a few days later.  I thought that was customary procedure. 
Sure, in many cases, you'll be ignored until you post, but on those
occasions that the vendor tries to be responsible, don't you want to
give them a chance to save their customers a little headache?

Randy Graham

- -----Original Message-----
From:   Johann van Duyn [SMTP:johann.vanduyn () appleton com]
Sent:   Friday, September 15, 2000 7:45 AM
To:     firewall-wizards () nfr net
Subject:        RE: Open Source vs. Closed Source [ was Re: [fw-wiz]
Firewall Thr oughput ]

For the record, the source code for Solaris (8) is now freely
available from
Sun Micro. There are a few conditions imposed on anyone who obtains
the
source code -- it's NOT Open Source -- but it is available.

Also, it makes a lot of sense not to report flaws in the source code
- -- or
any other holes you may discover -- directly to the vendor of a
product, but
rather to organizations like CERT, SANS or BugTraq (or all of them!).
Vendors usually jump quite quickly when flaws are reported on these
forums.
Add some example exploit code, and the vendors really get hyped about
producing fixes.

Just my R0.02...

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQA/AwUBOcYwjRmX7SWIy+ClEQIDnQCbBFTGV+7NVDTtAdHoRX8lhv0rhVMAoPRl
cWzbeGfHhejQgi8qJEMMKW9j
=oWSZ
-----END PGP SIGNATURE-----

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards