funsec mailing list archives
Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws
From: Matthew Murphy <mattmurphy () kc rr com>
Date: Mon, 28 Aug 2006 20:32:10 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Dude VanWinkle wrote:
On 8/28/06, Michal Zalewski <lcamtuf () dione ids pl> wrote:On Mon, 28 Aug 2006, Dude VanWinkle wrote:"Tipping Point customers have been protected from this flaw sincex.y.z"Is that extortion?No. Sorry.I guess it depends on the vendor and how long they have given them to patch the issue. Still FD of 30 0-days seems odd for a security company that will profit off it. Que Sirah -JP
This is not "full disclosure" of any of these vulnerabilities. The
snippet ferg quoted says there will be a LIST of these issues published,
and in fact it has been published:
http://www.zerodayinitiative.com/upcoming_advisories.html
This is called a "disclosure pipeline". IOW, it names vendors we have
cases open with and the length of time those cases have been open. Also
included is a self-issued internal severity rating from TippingPoint.
There's minimal information actually provided.
We've been doing this same thing with vulnerabilities discovered
internally by members of the TippingPoint Security Research Team for
some time now:
http://www.tippingpoint.com/security/upcoming_advisories.html
I did the same thing with vulnerabilities I found before I came to
TippingPoint, and others (notably eEye) also engage in this practice.
Calling it extortion is completely out of line, IMO.
- - Matt Murphy, TippingPoint Security Research Team
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)
Comment: New (15 May '06) Key: Fetch from pgp.mit.edu; ID=0x2257C33F
iQIVAwUBRPOZKnXzqEAiV8M/AQpU+RAAiumoYU2ZbSP3+rHPEROD4tmPgZK01hUe
UHQbJjk2pbbpIwqO600uKQhCRaoAarqgBJD6KFt1v0d0UhgMqLe14HAGBteRDta0
yTgWR3AGaEXaKbHmQZr7P+PgN8bG6x5gM2dguyGtZpvydl0i/cPB5pU/9dDm5YiF
X6/IS0l3Huexb/HyGXQ3NB9pka9KoUVbH28b0KNT6GzJ247U0HUqCRhDP+VJ0fGQ
tIrb8BtO8VEbvMy8XjN8EiwR5TAwW307uN36QHuFPErSdBi+Bcgck0/s2H+n51XN
AI+OzkaBXaVmD3M5WOPuTNKZZwWR0/DQ5gPxCpqIv6aBwksuvt7sENI2soHe19zj
k6kWW15gJUiMlnaDeWKIU7mlYSHm7eBfYQuLFjoocNzTRhG+vb/QQIac0m6UTcPz
jb1QZODmaqT3euPH1d2ysTxlUYOw1iQfBWorRhntZ1B3o9Xn1US8lA5xf6tCOj7m
0uIO2LvrGq2NIQaiUKVBdowRs1zLhn2jqgylJiuDhBWKC5ZXLptpSHCZwX/1beEP
fXdbweBcmdnC2DRoN+5xqMb1hZblS8+1FXw4Ha6ZW6ax6EtG44RaXO1PXOHatfI/
z9b8TlvQanEU/1Rbur31gZd/92EUHRFpqAuEJ/FocuK3Dlrl5EeQu0WBXu3pu9Js
xQRSKd+zHhg=
=J/zI
-----END PGP SIGNATURE-----
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Current thread:
- TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Fergie (Aug 28)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Dude VanWinkle (Aug 28)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Michal Zalewski (Aug 28)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Dude VanWinkle (Aug 28)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Matthew Murphy (Aug 28)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Josh Bressers (Aug 28)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Matthew Murphy (Aug 28)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Michal Zalewski (Aug 28)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws ric k (Aug 30)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Michal Zalewski (Aug 28)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Dude VanWinkle (Aug 29)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Dude VanWinkle (Aug 28)