Full Disclosure mailing list archives
Re: [VulnWatch] Sun passwd(1) Command Vulnerability
From: "Steven M. Christey" <coley () mitre org>
Date: Sun, 7 Mar 2004 18:08:54 -0500 (EST)
"Jay D. Dyson" <jdyson () bugtraq org> said:
I often find the grammar used in security advisories and briefs to be confusing, and I'm forced to wonder if the wording is deliberate. Historically, when security companies have made claims that they could not verify, they have been dealt with in a very public, and very humilitating fashion, so I rather suspect that meticulous care is put in the phrasing without making any brash unverified statements, that could cause such embarassment to said company.
In the case of CVE, sometimes we have chosen to "soften" our descriptions and use phrases such as "may do X" or "possibly has Y impact" because: 1) Exploitability is not always easily or immediately proven - at least not publicly, anyway. 2) Vulnerability details are not always known, so one would need to put in the effort to figure out the vulnerability before crafting the exploit. 3) Few (if any?) have the resources to prove exploitability/etc. for all of the 50+ vulnerabilities that are reported per week. This seems to be a trend in vulnerability reporting. In general, I think it's a good one, i.e. being more open about how much or little is known at any particular time. The motives could be more due to correctness/accuracy than trying to avoid embarrassment. And if you're a software vendor or maintainer, why spend a large number of hours trying to prove exploitability? One could just patch the bug, post an alert, and move on to other more pressing matters. - Steve _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: [VulnWatch] Sun passwd(1) Command Vulnerability Jay D. Dyson (Mar 06)
- <Possible follow-ups>
- Re: [VulnWatch] Sun passwd(1) Command Vulnerability Steven M. Christey (Mar 07)