Re: some ooold Juniper bugs (was: ZDI-10-231: Juniper Secure Access Series meeting_testjava.cgi XSS Vulnerability)

[Jeffrey Walton <noloader () gmail com>]

On Sun, Nov 7, 2010 at 7:57 PM, Michal Zalewski <lcamtuf () coredump cx> wrote:
> This reminded me of a bunch of problems I spotted in Juniper SSL VPN a
> while ago; they are apparently fixed, but I don't recall seeing any
> public vendor advisory / credit for reporting them - so here you go,
> even if just for the record...
My impressions and experience: (1) some companies don't want to know
of problems in their software; (2) some companies don't want to fix
the reported problems in their software because the remainder of their
house of cards becomes unstable; (3) other companies want to know, but
don't want to publicly acknowledge the defect or offer credit; and (4)
a small number of companies want to know so they can fix and offer
credit.

Unfortunately, my observations seem to indicate very few companies
fall under (4). And my personal experience with software vendors
developing antivirus, firewall and other security software:
approximately 150 defects reported in 20 vendors. Only Symantec
published an advisory and offered credit.

And the political spin: companies get away with shipping broken
software and residing in (1) and (2) above because there are no
software liability laws, even though software enjoys intellectual
property protection. Reason: In America, corporate America bribes the
legislature (err, makes 'PAC contributions').

> [SNIP]

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/