Re: Shiver me timbers.

[full-disclosure () lists netsys com (Steven M. Christey)]

aliver () xexil com said:

> What I'm hearing from the "whitehat community" is that other
> programmers not employed by that company have some obligation to not
> only report bugs, but also to point out how to fix them wherever
> possible...

The responsible disclosure draft recommends this, but it will be
weakened in the next version; it is a bit to ask of the person who's
notifying the vendor.  That said, some researchers *do* provide hints
or fix information to the vendor and/or public.

> I also don't feel, in most cases, I have any obligation to protect
> these "innocent" consumers from the evil software vendor.

Thank you for clarifying this (seriously, most opinions I've seen
focus only on "not helping the vendor").  One of the intentions of
responsible disclosure is to reduce the overall security threat to all
network-connected systems.  This comes at a cost to individuals or
organizations who have the skills and resources to use immediate
disclosure to protect their own systems (as mentioned by some people
on this list).  But it also suggests that responsible disclosure won't
apply to people who may have other goals in mind besides "improving
overall security."  (I'd be interested in hearing from people who
believe that responsible disclosure *wouldn't* improve overall
security for most systems, although I probably don't even need to ask
in this forum :-)

But even if you don't feel an obligation to those innocent customers,
it may ultimately affect you, as that could leave more
Internet-connected systems vulnerable, which could then be used as
launching points to attack your own systems.

- Steve