Dailydave mailing list archives
RE: Lynn / Cisco shellcode
From: Michael J Freeman <mfreeman451 () yahoo com>
Date: Thu, 28 Jul 2005 21:46:12 -0700 (PDT)
Of course you won't wait around, someone else might publish it first and steal all the credit. It makes sense in most cases for researchers to not publish vulnerabilities until a patch is out. I think people should do like what eEye does, you have a webpage saying "this is pending" or you release "half" an advisory discussing the problem but not giving away enough details. badpack3t most recently gave the perfect example of this, putting out a screenshot of a vulnerability in RDP. It certainly gained a lot of attention and put a fire under Microsoft's butt, without giving away the crown jewels. 2cents. --- Dennis Cox <dcox () tippingpoint com> wrote:
I'm going to respond to myself - because I didn't feel I was clear. My point is if a vulnerability is so severe and the company who's product has the vulnerability takes an unreasonable amount of time to resolve the issue what route can one take? In this case Cisco announced that it will issue the security bulletin tomorrow I believe. That's only because Mr. Lynn forced their hand. I don't want ISS, iDefense or heck my company sitting on a vulnerability for a year or two just to appease some company. There has to be some other alternative. The security companies don't have one - their lawyers force them to keep quiet would be my guess. One could go anonymous of course but that's scary in many regards - something has to have teeth.So does that mean that perhaps the government (or agovernment type agency (e.g. UN)) should become a notification point for vulnerabilities in >the future? I realize it's got ton's of downsides (too numerous to list) but the upside is pressure. They can put ton's of pressure on Cisco and >Oracle (700 day's was mentioned before which is an ungodly amount of time) to fix the vulnerability by denying government purchases of that >vendors equipment until such a time as the vulnerability is resolved. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Lynn / Cisco shellcode, (continued)
- Re: Lynn / Cisco shellcode ET LoWNOISE (Jul 28)
- Re: Lynn / Cisco shellcode Alex Stamos (Jul 28)
- Re: Lynn / Cisco shellcode Ejovi Nuwere (Jul 28)
- Re: Lynn / Cisco shellcode Michael Silk (Jul 28)
- Re: Lynn / Cisco shellcode Michael J Freeman (Jul 28)
- Re: Lynn / Cisco shellcode Pukhraj Singh (Jul 29)
- RE: Lynn / Cisco shellcode Michael J Freeman (Jul 28)
- Re: Lynn / Cisco shellcode Ron Guerin (Jul 29)
- Re: Lynn / Cisco shellcode Anthony Zboralski (Jul 29)
- Re: Lynn / Cisco shellcode Ejovi Nuwere (Jul 30)
- Re: Lynn / Cisco shellcode Ejovi Nuwere (Jul 30)
- Re: Lynn / Cisco shellcode Nicholas Cross (Aug 01)