Firewall Wizards mailing list archives
RE: Open Source vs. Closed Source [ was Re: Firewall Thr oughput ]
From: Nick Evans <nevans () nextvenue com>
Date: Sat, 23 Sep 2000 01:01:58 -0400
Rain Forest Puppy outlined a nice reporting policy for bugs and such: http://www.wiretrip.net/rfp/policy.html Nick -----Original Message----- From: Graham, Randy (RAW) [mailto:RAW () y12 doe gov] Sent: Monday, September 18, 2000 11:43 AM To: 'firewall-wizards () nfr net' Subject: RE: Open Source vs. Closed Source [ was Re: [fw-wiz] Firewall Thr oughput ] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I can't see how reporting to the various repositories first can in any way help. You have to at least give the vendor an opportunity to fix it before you make a public disclosure, don't you? I mean, if you report it to the various lists first, you've just given criminal hackers another attack venue without any chance of a quick fix from the vendor. If you report it to the vendor first, you at least give a _chance_ that a patch can be made available when you post to the lists a few days later. I thought that was customary procedure. Sure, in many cases, you'll be ignored until you post, but on those occasions that the vendor tries to be responsible, don't you want to give them a chance to save their customers a little headache? Randy Graham - -----Original Message----- From: Johann van Duyn [SMTP:johann.vanduyn () appleton com] Sent: Friday, September 15, 2000 7:45 AM To: firewall-wizards () nfr net Subject: RE: Open Source vs. Closed Source [ was Re: [fw-wiz] Firewall Thr oughput ] For the record, the source code for Solaris (8) is now freely available from Sun Micro. There are a few conditions imposed on anyone who obtains the source code -- it's NOT Open Source -- but it is available. Also, it makes a lot of sense not to report flaws in the source code - -- or any other holes you may discover -- directly to the vendor of a product, but rather to organizations like CERT, SANS or BugTraq (or all of them!). Vendors usually jump quite quickly when flaws are reported on these forums. Add some example exploit code, and the vendors really get hyped about producing fixes. Just my R0.02... -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQA/AwUBOcYwjRmX7SWIy+ClEQIDnQCbBFTGV+7NVDTtAdHoRX8lhv0rhVMAoPRl cWzbeGfHhejQgi8qJEMMKW9j =oWSZ -----END PGP SIGNATURE----- _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- RE: Open Source vs. Closed Source [ was Re: Firewall Thr oughput ] Graham, Randy (RAW) (Sep 18)
- <Possible follow-ups>
- RE: Open Source vs. Closed Source [ was Re: Firewall Thr oughput ] Nick Evans (Sep 23)