Re: Open Source vs. Closed Source [ was Re: Firewall Throughput ]

[Doug Hughes <doug () Eng Auburn EDU>]

On Fri, 15 Sep 2000, amanda wrote:

> You could always make an anonymous post to bugtraq and attach some exploit
> code for the script kiddies. That should get the vendors attention. Or at
> least it will make some other customers complain loudly to the vendor.

No no no! Please don't do this. This brings a knee jerk reaction and often
doesn't give time for proper regression testing of fixes. In the mean
time, the script kiddies can go blasting around to their hearts content.
Better to post a patch for the problem (if possible). That serves two
purposes: make the problem known, and fix it at the same time.


> Just look at how Microsoft reacted to last summers IIS exploit from eEye.
> For several days they completely ignored it until it turned up on bugtraq.
> Then they fixed it in a few hours.
Doesn't mean that that's the right way to do it. It means that the vendor
has to take all of their resources that may be working on other important
security issues and preempt them for a quick and dirty fix.

                        doug () eng auburn edu


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards