Bugtraq mailing list archives
Re: Pro Disclosure (was Re: UnixWare)
From: paul () vix com (Paul A Vixie)
Date: Sat, 30 Apr 1994 01:00:46 -0700
I think this anti-CERT sentiment is misplaced. If someone tells CERT about a bug and CERT manages to tell the vendors about the bug, before _everybody_ knows about the bug, then it seems to me that a good service has been done. Generally what happens is: a bad guy finds a hole lots of bad guys use the hole some good guy notices the hole being used, and tells CERT CERT tells the vendors some vendors get a binary patch together; others ignore it CERT tells the world of the existence (but not details!) of the hole, and gives references to the vendor's patches, and suggested workarounds the rest of the bad guys learn about and use the hole the good guys eventually figure out what the hole was i, like others on this list, would like the last step shown above to come earlier in the script than it does now. but since there is no way to give information to _just_the_good_guys_ or at least enough of them to matter, i think CERT's approach approaches do-least-evil. and they do some good. if anyone here has a better approach in mind, let's hear it, ok? [ the last major hole CERT reported was one of mine :-( ]
Current thread:
- Pro Disclosure (was Re: UnixWare) Carl Corey (Apr 29)
- Re: Pro Disclosure (was Re: UnixWare) Bennett Todd (Apr 29)
- Re: Pro Disclosure (was Re: UnixWare) Paul A Vixie (Apr 30)
- Re: Pro Disclosure (was Re: UnixWare) Bennett Todd (Apr 30)
- Re: Pro Disclosure (was Re: UnixWare) Steven C. Blair (Apr 30)
- Re: Pro Disclosure (was Re: UnixWare) Pat Myrto (Apr 30)
- Re: Pro Disclosure (was Re: UnixWare) Paul A Vixie (Apr 30)
- Re: Pro Disclosure (was Re: UnixWare) Oliver Friedrichs (Apr 30)
- Re: Pro Disclosure (was Re: UnixWare) Matthew Gream (Apr 30)
- Re: Pro Disclosure (was Re: UnixWare) Bennett Todd (Apr 29)