Re: Open Source vs. Closed Source [ was Re: Firewall Throughput ]

[dbell <dbell () bway net>]

> No no no! Please don't do this. This brings a knee jerk reaction and often
> doesn't give time for proper regression testing of fixes. In the mean
> time, the script kiddies can go blasting around to their hearts content.
> Better to post a patch for the problem (if possible). That serves two
> purposes: make the problem known, and fix it at the same time.

That's fine, IF it motivates the vendor to fix the problem in some kind of
"official" or "supported" way. As silly as it is, some of us work in
environments where installing code from bugtraq on production systems is
not acceptable. It has to come from the vendor, and must come with that
vendor's willingness to support the code. I'm sure I'm not the only one in
this boat.

> Doesn't mean that that's the right way to do it. It means that the vendor
> has to take all of their resources that may be working on other important
> security issues and preempt them for a quick and dirty fix.

By giving the vendor plenty of lead time prior to publication, you will
have given them ample time to deploy the necessary resources. If they have
chosen not to do so for weeks or months, that's their problem. Especially
if you post a fix (and sent them one when you made initial contact), there
is simply no excuse for a vendor to let problems go unaddressed for
extended periods.



--
Daniel Bell
Heuer's Law: Any feature is a bug unless it can be turned off.


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards