funsec mailing list archives
Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws
From: Matthew Murphy <mattmurphy () kc rr com>
Date: Mon, 28 Aug 2006 20:32:10 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Dude VanWinkle wrote:
On 8/28/06, Michal Zalewski <lcamtuf () dione ids pl> wrote:On Mon, 28 Aug 2006, Dude VanWinkle wrote:"Tipping Point customers have been protected from this flaw sincex.y.z"Is that extortion?No. Sorry.I guess it depends on the vendor and how long they have given them to patch the issue. Still FD of 30 0-days seems odd for a security company that will profit off it. Que Sirah -JP
This is not "full disclosure" of any of these vulnerabilities. The snippet ferg quoted says there will be a LIST of these issues published, and in fact it has been published: http://www.zerodayinitiative.com/upcoming_advisories.html This is called a "disclosure pipeline". IOW, it names vendors we have cases open with and the length of time those cases have been open. Also included is a self-issued internal severity rating from TippingPoint. There's minimal information actually provided. We've been doing this same thing with vulnerabilities discovered internally by members of the TippingPoint Security Research Team for some time now: http://www.tippingpoint.com/security/upcoming_advisories.html I did the same thing with vulnerabilities I found before I came to TippingPoint, and others (notably eEye) also engage in this practice. Calling it extortion is completely out of line, IMO. - - Matt Murphy, TippingPoint Security Research Team -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 (Build 6060) Comment: New (15 May '06) Key: Fetch from pgp.mit.edu; ID=0x2257C33F iQIVAwUBRPOZKnXzqEAiV8M/AQpU+RAAiumoYU2ZbSP3+rHPEROD4tmPgZK01hUe UHQbJjk2pbbpIwqO600uKQhCRaoAarqgBJD6KFt1v0d0UhgMqLe14HAGBteRDta0 yTgWR3AGaEXaKbHmQZr7P+PgN8bG6x5gM2dguyGtZpvydl0i/cPB5pU/9dDm5YiF X6/IS0l3Huexb/HyGXQ3NB9pka9KoUVbH28b0KNT6GzJ247U0HUqCRhDP+VJ0fGQ tIrb8BtO8VEbvMy8XjN8EiwR5TAwW307uN36QHuFPErSdBi+Bcgck0/s2H+n51XN AI+OzkaBXaVmD3M5WOPuTNKZZwWR0/DQ5gPxCpqIv6aBwksuvt7sENI2soHe19zj k6kWW15gJUiMlnaDeWKIU7mlYSHm7eBfYQuLFjoocNzTRhG+vb/QQIac0m6UTcPz jb1QZODmaqT3euPH1d2ysTxlUYOw1iQfBWorRhntZ1B3o9Xn1US8lA5xf6tCOj7m 0uIO2LvrGq2NIQaiUKVBdowRs1zLhn2jqgylJiuDhBWKC5ZXLptpSHCZwX/1beEP fXdbweBcmdnC2DRoN+5xqMb1hZblS8+1FXw4Ha6ZW6ax6EtG44RaXO1PXOHatfI/ z9b8TlvQanEU/1Rbur31gZd/92EUHRFpqAuEJ/FocuK3Dlrl5EeQu0WBXu3pu9Js xQRSKd+zHhg= =J/zI -----END PGP SIGNATURE----- _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Fergie (Aug 28)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Dude VanWinkle (Aug 28)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Michal Zalewski (Aug 28)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Dude VanWinkle (Aug 28)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Matthew Murphy (Aug 28)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Josh Bressers (Aug 28)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Matthew Murphy (Aug 28)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Michal Zalewski (Aug 28)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws ric k (Aug 30)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Michal Zalewski (Aug 28)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Dude VanWinkle (Aug 29)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Dude VanWinkle (Aug 28)