Firewall Wizards mailing list archives
Re: Open Source vs. Closed Source [ was Re: [fw-wiz] FirewallThroughput ]
From: Chris Calabrese <christopher_calabrese () merck com>
Date: Fri, 15 Sep 2000 08:17:44 -0400
Yeah, I thought of that. The issues surrounding my constraints on disclosure are pretty complicated, though, so just doing an anon post probably won't work for me. I've been trying to work out a solution, and you may see white smoke soon. amanda wrote:
You could always make an anonymous post to bugtraq and attach some exploit code for the script kiddies. That should get the vendors attention. Or at least it will make some other customers complain loudly to the vendor. Just look at how Microsoft reacted to last summers IIS exploit from eEye. For several days they completely ignored it until it turned up on bugtraq. Then they fixed it in a few hours. Amanda. On Thu, 14 Sep 2000, Chris Calabrese wrote:In almost every case, when I've reported these holes to the vendors, they were ignored. Since I am constrained in my ability to disclose these holes to the general public (for other reasons), the holes are still out there waiting to be exploited. This also matches my experience when I've worked for major software vendors. Security holes generally are only addressed if genuine customers complain about them, if the company's own IT shop complains about them, or if some certification that's needed for a big contract gets rejected because of them.
Attachment:
christopher_calabrese.vcf
Description: Card for Chris Calabrese
Current thread:
- Re: Open Source vs. Closed Source [ was Re: [fw-wiz] FirewallThroughput ] Chris Calabrese (Sep 16)
- <Possible follow-ups>
- Re: Open Source vs. Closed Source [ was Re: [fw-wiz] FirewallThroughput ] Chris Calabrese (Sep 16)
- Re: Open Source vs. Closed Source [ was Re: [fw-wiz] FirewallThroughput ] Chris Calabrese (Sep 18)