Full Disclosure mailing list archives
Re: Publishing exploit code - what is it good for
From: Thomas Reinke <reinke () securityspace com>
Date: Thu, 30 Jun 2005 13:55:50 -0400
benefit of public exploit codes. Quote: " If I speak to an end-user organization and they express legitimate needs for exploit code, then I'll change my opinion."
Heh...very close-minded to begin with. Good luck trying any argument with this "analyst".
Please note: I don't need any arguments pro or against full disclosure; all this has been discussed in the past. I also don't need you to tell me about someone else or some other project (e.g. nessus, snort) that utilizes these exploits. Tried that. Didn't work.What I need is a security administrator, CSO, IT manager or sys admin that can explain why they find public exploits are good for THEIR organizations. Maybe we can start changing public opinion with regards to full disclosure, and hopefully start with this opinion leader.TIA.
You may wish to point out to your "analyst" that end-user benefits are indirect How many times have we seen organizations attempt to sweep problems under the cover. This is an old, well understood reason for full disclosure. Now, how many times have their been arguments about "this is not a code injection exploit, only a DoS, so the customer impact is not severe, so we're delaying fixing this until release X.Y in 3 months time", only to find someone actually coded an exploit to prove that a vulnerability is fully exploitable. The end result: Exploit code, responsibly handled, serves the exact same purpose that vulnerability information disclosure serves: an accountability mechanism to ensure that Vendors do not attempt to bury information that they perceive to negatively impact their products and services. Thus, exploit code serves the customer by ensuring that vendors handle vulnerabilities promptly because the vendor is aware that exploits will likely be developed, and that the negative publicity of exploits running wild against their products outweigh the negative publicity of admitting (and fixing) a vulnerability. But, somehow, giving the attitude your analyst is conveying, I'd say more effort has been expended than is worthwhile. Thomas _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Publishing exploit code - what is it good for, (continued)
- Re: Publishing exploit code - what is it good for bugtraq (Jun 30)
- Re: Publishing exploit code - what is it good for Ill will (Jun 30)
- Re: Publishing exploit code - what is it good for Gary E. Miller (Jun 30)
- Re: Publishing exploit code - what is it good for Steve Milner (Jun 30)
- Re: Publishing exploit code - what is it good for Matt . Carpenter (Jun 30)
- Re: Publishing exploit code - what is it good for Michael Holstein (Jun 30)
- Re: Publishing exploit code - what is it good for Jason Coombs (Jun 30)
- Re: Publishing exploit code - what is it good for Kenneth Ng (Jun 30)
- Re: Publishing exploit code - what is it good for KF (lists) (Jun 30)
- Re: Publishing exploit code - what is it good for Jason Coombs (Jun 30)
- Re: Publishing exploit code - what is it good for bugtraq (Jun 30)
- RE: Publishing exploit code - what is it good for James C Slora Jr (Jun 30)
- Re: Publishing exploit code - what is it good for Thomas Reinke (Jun 30)
- Re: Publishing exploit code - what is it good for John Madden (Jun 30)
- Re: Publishing exploit code - what is it good for Skip Carter (Jun 30)
- Re: Publishing exploit code - what is it good for Damian Menscher (Jun 30)
- RE: Publishing exploit code - what is it good for Glenn.Everhart (Jun 30)
- Re: Publishing exploit code - what is it good for Joxean Koret (Jun 30)
- RE: Publishing exploit code - what is it good for Matt Huston (Jun 30)
- Re: Publishing exploit code - what is it good for John Horn (Jun 30)
- RE: Publishing exploit code - what is it good for Todd Towles (Jun 30)
- RE: Publishing exploit code - what is it good for Marvin Simkin (Jun 30)
- Re: Publishing exploit code - what is it good for Raghu Chinthoju (Jun 30)