Full Disclosure mailing list archives
Re: [SE-2012-01] Critical security issue affecting Java SE 5/6/7
From: Security Explorations <contact () security-explorations com>
Date: Wed, 26 Sep 2012 10:11:07 +0200
On 2012-09-26 01:30, Chris Evans wrote:
I don't see any details? This list is "full disclosure", not "touch self in public".
Our Disclosure Policy [1] is somethings in-between Full Disclosure and Responsible Disclosure. It has certain advantages such as the ability to carry an early warning to the public regarding security risks identified in a given software / technology. Due to our "old fashioned" approach to communication (we don't tweet, blog, etc.), we carry these warnings by the means of sending posts to Bugtraq and Full Disclosure mailing lists. I am not sure if you remember these times, but these lists for long years have been the premier source of information for many with respect to security weaknesses, attacks and exploitation techniques. So far, all of our Oracle Java SE findings have been confirmed by the vendor (this includes Issue 50 announced yesterday). Vendors that avoided or neglected to do so always faced the risk of having their issues disclosed without any warning [2]. These are the lists moderators, not you that decide what content gets accepted to Bugtraq / Full Disclosure mailing lists. If you disagree, I do suggest that you contact proper list moderator and continue your discussion with him. We will continue our way of conducting security research and disclosure process regardless of your or others voice of objection. We simply do believe in our cause. As for the actual disclosure of the 50 Java issues we uncovered in Oracle's Java SE, IBM Java and Apple QuickTime for Java, we plan to publish technical vulnerabilities details as first indicated in our FAQ [3] in Apr 2012. If you expected that we would publish the details now and put an estimate number of 1 billion of desktop Java users at risk, then I suggest you ask your employer what the company thinks about the value of doing so. Thank you. -- Best Regards, Adam Gowdiak --------------------------------------------- Security Explorations http://www.security-explorations.com "We bring security research to the new level" --------------------------------------------- References. [1] Security Explorations, Disclosure Policy http://www.security-explorations.com/en/disclosure-policy.html [2] SE-2012-01 Press Info (2) http://www.security-explorations.com/en/SE-2012-01-press2.html [3] SE-2012-01 Frequently Asked Questions http://www.security-explorations.com/en/SE-2012-01-faq.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [SE-2012-01] Critical security issue affecting Java SE 5/6/7 Security Explorations (Sep 25)
- Re: [SE-2012-01] Critical security issue affecting Java SE 5/6/7 Chris Evans (Sep 25)
- Re: [SE-2012-01] Critical security issue affecting Java SE 5/6/7 Security Explorations (Sep 26)
- Re: [SE-2012-01] Critical security issue affecting Java SE 5/6/7 Chris Evans (Sep 25)