Half Disclosure

[robert () dyadsecurity com]

I know there is a debate
(http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1014528,00.html)
between the security research community and the Confused Illusionary
Supposed Security People communities.

The industry seems to be taking a funny twist with the practice of
disclosure of newly identified problems.  My team for years has joked
about creating a "Half Disclosure" mailing list.  This list would either
A) tell you that a particular piece of software has a problem... or B)
provide working exploit code with no product reference.

Little did we know other companies had the same sense of humor:
http://www.securityfocus.com/archive/1/380152/2004-10-31/2004-11-06/0

"... are going to withhold details about this flaw for three months.
Full details will be published on the [later]. This three
month window will allow users of [product] the time needed to download
the updated version before the details are released to the general
public. This reflects [companies]'s new approach to responsible
disclosure."

Is this really the path we want to take?

Robert

-- 
Robert E. Lee
CTO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert () dyadsecurity com
M - (949) 394-2033
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave