Re: Half Disclosure

[ned <nd () felinemenace org>]

On Wed, 3 Nov 2004 robert () dyadsecurity com wrote:

> I know there is a debate
> (http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1014528,00.html)
> between the security research community and the Confused Illusionary
> Supposed Security People communities.
>
> The industry seems to be taking a funny twist with the practice of
> disclosure of newly identified problems.  My team for years has joked
> about creating a "Half Disclosure" mailing list.  This list would either
> A) tell you that a particular piece of software has a problem... or B)
> provide working exploit code with no product reference.
>
> Little did we know other companies had the same sense of humor:
> http://www.securityfocus.com/archive/1/380152/2004-10-31/2004-11-06/0

eEye does it too:
http://www.eeye.com/html/research/upcoming/index.html

> "... are going to withhold details about this flaw for three months.
> Full details will be published on the [later]. This three
> month window will allow users of [product] the time needed to download
> the updated version before the details are released to the general
> public. This reflects [companies]'s new approach to responsible
> disclosure."
>
> Is this really the path we want to take?
>
> Robert

-- 
http://felinemenace.org/~nd

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave