Re: Re: Cisco's stolen code

[Mister Coffee <live4java () stormcenter net>]

Jason,

Your middle of the road approach is probably the best.  Proper advisory release process would have "us" notify the 
vendor of a code flaw and give them time to respond and post an advisory before releasing a sploit or advisory to the 
wild ourselves.  Timeframe would depend on the severity, and it would probably be fine to give people a heads up on the 
issue. 

(Without being overly specific.  e.g. "There's a potentially bad bug in IOS.  Vendor's been notified.  Enable 
"STOP_EVIL_HAXOR" to mitigate the threat.  Vendor will release details.")

I'm not sure it came across in my post, but for discussion's sake I was assuming the advisory was being released with 
the honest intention of protecting infrastructure, rather then as an attempt to gain glory.

Cheers,
L4J

On Wed, May 26, 2004 at 12:52:06PM -0400, Jason Weisberger wrote:
> I think the line needs to be drawn somewhere in the middle.  Using
> stolen Cisco code to find vulnerabilities in their software and
> publishing advisory notices based on stolen code is unethical.  A common
> middle-ground would be to inform the company and not publish the
> advisory.  In this way, the company can release it's own advisory and
> will probably let you go unchecked.  If it's fame and fortune you're
> looking for, then release the advisory while realizing the risk of being
> sued by Cisco for posession of their intellectual property.
>
> I suggest being humble.
>
> Jason Weisberger
> http://www.csrev.com
>
> Mister Coffee wrote:
<long assed thread snipped> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html