Dailydave mailing list archives
Re: Moot choices, a sort of DD media party
From: Florian Weimer <fw () deneb enyo de>
Date: Sat, 02 Jul 2005 15:22:17 +0200
* Rodney Thayer:
What do you do when you find an exploit in a protocol spec? Do you disclose it to the standards body? Do you tell the vendor?
You tell a couple of vendors who then try to write a new standard. At least that seems to be the direction the IETF is heading; see the tcpm working group.
I guess my current allegedly interesting observation about disclosuers is - if you notify a vendor, and they ignore you or go into denial, then well they've just told you it's not an exploit and you can publish it whereever you damn well please.
Or they tell you upfront. Formalized vendor security guidelines (if they exist at all) usually tell us that the product is supposed to be used in a benign environment, and that all connected machines must reside under the same administrative domain. In this scenario, most potential issues cannot result in security policy breaches. Therefore, according to a few popular definitions, they aren't vulnerabilities. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Moot choices, a sort of DD media party Dave Aitel (Jul 01)
- <Possible follow-ups>
- RE: Moot choices, a sort of DD media party Aleksander P. Czarnowski (Jul 01)
- Re: Moot choices, a sort of DD media party Rodney Thayer (Jul 01)
- Message not available
- Re: Moot choices, a sort of DD media party Rodney Thayer (Jul 01)
- Re: Moot choices, a sort of DD media party Aviram Jenik (Jul 02)
- Re: Re: Moot choices, a sort of DD media party Florian Weimer (Jul 02)
- Re: Moot choices, a sort of DD media party Rodney Thayer (Jul 01)
- Re: Moot choices, a sort of DD media party Florian Weimer (Jul 02)
- RE: Moot choices, a sort of DD media party Cesar (Jul 01)
- Re: Moot choices, a sort of DD media party Matt Hargett (Jul 01)