Re: Full Disclosure works, here's proof:

[cklaus () shadow net (Christopher Klaus)]

> > Anyways, it has been less than a week and here's SCO patches.  If 8LGM
> > had only reported the bugs to CERT and SCO, who knows how long would we 
> > have seen the patches? 
>
> So, tell me, where did the full disclosure take place?

I was using full disclosure in the sense that the problem is reported to
the world rather than just a select few of organizations.  IMO, I don't
think you need a no-brainer exploit script with a bug report before it is
fully disclosed.  Probably a enough info would be nice to check if this
bug is vulnerable on other OSes since I doubt 8lgm has every machine and
OS to test the vulnerabilities they find for a single machine. 

> We have seen no such fixes with the first batch of immediate full-disclosure
> 8lgm reports.

Well, that probably reflects the company that supports the OS.  If 1 company
can get patches out a week after the problems were disclosed world wide 
but without exploit scripts, and another company still hasn't officially 
patched security problems that were reported world wide with exploit 
scripts, then there seems to be something wrong here.  And it isn't probably
reflecting which method of disclosure works better.  That is, with or 
without exploit scripts, that appears it doesn't make a difference on how a 
company handles security reports. 

-- 
Christopher William Klaus  <cklaus () shadow net>  <iss () shadow net>
Internet Security Systems, Inc.         Computer Security Consulting
2209 Summit Place Drive,              Penetration Analysis of Networks
Atlanta,GA 30350-2430. (404)518-0099. Fax: (404)518-0030