Firewall Wizards mailing list archives
RE: Open Source vs. Closed Source [ was Re: Firewall Thr oughput ]
From: "Domenico De Vitto" <dom () devitto demon co uk>
Date: Mon, 16 Oct 2000 00:08:02 +0100
Possibly, or maybe the motive is more stick than carrot. Beat the vendor, and maybe his next realise will spend more on testing than marketing. Generally, if the vendor thinks that 4-5 weeks is a 'reasonable' time to produce a fix (like one popular OS vendor) then, it's possible that spontaneous release of the information will positively effect that opinion. Alternatively, if you wait 6 weeks, then post, you may foster an attitude of 'only fix problems when and _if_ they significantly effect new sales'. Dom -----Original Message----- From: firewall-wizards-admin () nfr net [mailto:firewall-wizards-admin () nfr net]On Behalf Of Graham, Randy (RAW) Sent: 18 September 2000 16:43 To: 'firewall-wizards () nfr net' Subject: RE: Open Source vs. Closed Source [ was Re: [fw-wiz] Firewall Thr oughput ] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I can't see how reporting to the various repositories first can in any way help. You have to at least give the vendor an opportunity to fix it before you make a public disclosure, don't you? I mean, if you report it to the various lists first, you've just given criminal hackers another attack venue without any chance of a quick fix from the vendor. If you report it to the vendor first, you at least give a _chance_ that a patch can be made available when you post to the lists a few days later. I thought that was customary procedure. Sure, in many cases, you'll be ignored until you post, but on those occasions that the vendor tries to be responsible, don't you want to give them a chance to save their customers a little headache? Randy Graham - -----Original Message----- From: Johann van Duyn [SMTP:johann.vanduyn () appleton com] Sent: Friday, September 15, 2000 7:45 AM To: firewall-wizards () nfr net Subject: RE: Open Source vs. Closed Source [ was Re: [fw-wiz] Firewall Thr oughput ] For the record, the source code for Solaris (8) is now freely available from Sun Micro. There are a few conditions imposed on anyone who obtains the source code -- it's NOT Open Source -- but it is available. Also, it makes a lot of sense not to report flaws in the source code - -- or any other holes you may discover -- directly to the vendor of a product, but rather to organizations like CERT, SANS or BugTraq (or all of them!). Vendors usually jump quite quickly when flaws are reported on these forums. Add some example exploit code, and the vendors really get hyped about producing fixes. Just my R0.02... -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQA/AwUBOcYwjRmX7SWIy+ClEQIDnQCbBFTGV+7NVDTtAdHoRX8lhv0rhVMAoPRl cWzbeGfHhejQgi8qJEMMKW9j =oWSZ -----END PGP SIGNATURE----- _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- RE: Open Source vs. Closed Source [ was Re: Firewall Thr oughput ] Domenico De Vitto (Oct 16)