Bugtraq mailing list archives

Re: UnixWare

From: c617666 () sgi7 phlab missouri edu (Paul Walmsley)
Date: Sat, 30 Apr 1994 17:54:57 -0500 (CDT)


On Sat, 30 Apr 1994, Gene Spafford wrote:


No, but I had thought they had advertised themselves as a worthwhile
place to report them, and my perception, and apparently that of many
other people here, is that this is not the case.


It depends on your definition of "useful."  If it is defined as "gets
the bug reports to all the vendors without also disclosing it to any
real or potential bad guys in the process; follows up the report to
make sure that the vendors are maybe working on it; and then provides
a wide-ranging, trusted announcement method to alert people when the
fixes are available" then it *is* worthwhile.


I think you're being pretty naive in assuming that telling only the
vendors avoids "disclosing it to any real or potential bad guys."  Not
only might there be "bad guys" at the vendor, but it's also quite possible
that the "bad guys" were the first to discover the hole and are running
around happily exploiting it while CERT waits to "make sure that the 
vendors are maybe working on it."

-Paul

Current thread:

Re: UnixWare, (continued)
- - - Re: UnixWare Marc W. Mengel (Apr 29)
    - Re: UnixWare Daniel R Ehrlich (Apr 28)
    - Re: UnixWare Perry E. Metzger (Apr 28)
- Re: UnixWare smb () research att com (Apr 27)
- Re: UnixWare Carl Corey (Apr 28)
  - Re: UnixWare Bennett Todd (Apr 28)
    - Re: UnixWare Icarus Sparry (Apr 28)
- Re: UnixWare Carl Corey (Apr 28)
- Re: UnixWare der Mouse (Apr 29)
  - Re: UnixWare Gene Spafford (Apr 30)
    - Re: UnixWare Paul Walmsley (Apr 30)