Full Disclosure mailing list archives

Re: Right, or wrong?

From: Valdis.Kletnieks () vt edu
Date: Tue, 07 Aug 2007 18:49:25 -0400

On Tue, 07 Aug 2007 17:46:51 EDT, Jared DeMott said:

vendor.  I was thinking that this would be ideal since the vendor would
have the most interest in knowing about/fixing the bug.


That's a dubious statement at best.

What a commercial vendor is interested in is minimizing their *total cost*
of providing whatever level of security they do.  As a result, unless the
bad press starts impacting product sales, the *best* stance is "stick head
in sand and pretend it's bulletproof".  Second best is "issue lots of press
releases saying we're dedicated to security".  Actually spending the big bucks
to make the product secure is a *distant* third.

And the instant they actually *buy* a byg report, they've lost all semblance
of plausible deniability.  "D'Oh! somebody reported it in our bugzilla but we
overlooked it" doesn't work if you've obviously *not* overlooked it to the
point of writing the submitter an actual check.

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Right, or wrong? Jared DeMott (Aug 07)
- Re: Right, or wrong? Valdis . Kletnieks (Aug 07)
- Re: Right, or wrong? Robert Kim Wireless Internet Advisor (Aug 07)
  - Re: Right, or wrong? Sol_Invictus (Aug 07)
    - Re: Right, or wrong? Brian Eaton (Aug 07)
- Re: Right, or wrong? Thierry Zoller (Aug 07)
  - Re: Right, or wrong? monikerd (Aug 08)
- Re: Right, or wrong? Fixer (Aug 08)
- Re: Right, or wrong? Byron Sonne (Aug 08)
  - Re: Right, or wrong? Valdis . Kletnieks (Aug 08)
    - Re: Right, or wrong? Byron Sonne (Aug 09)
    - Re: Right, or wrong? J. M. Seitz (Aug 09)

(Thread continues...)