Full Disclosure mailing list archives
Re: it\'s all about timing
From: full-disclosure () lists netsys com (Ron DuFresne)
Date: Mon, 5 Aug 2002 21:43:17 -0500 (CDT)
[SNIP]
Your number 6 below: "The Vendor MUST provide a facility for individuals or organizations who are not Customers to report vulnerabilities" This to me sounds like it is acceptable that there are going to be vulnerabilities. Continue cranking out shodware because we have a set of guidelines that people who stumble across them are expected to adhere to.Vulnerabilities will happen, even in the best of circumstances, as long as new types of vulnerabilities are discovered. If there are 20 individuals who decide to audit a package for a new type of vulnerability, but the vendor only has 5 developers, then it seems like there's a good chance that someone other than the vendor will discover the issue. Then you've got "interaction" vulnerabilities, which I loosely define as when a vulnerability occurs in the way that two products interact with each other. Developers can't always predict how their product will be used, or how it will interact with other products, so interaction-based vulnerabilities may be around in one form or another.
But seriously, what's new about buffer overflows, which are the main cause of vunls in software now as they were in the 1980's and prior when the morris worm hit[1]. How about repeat issue with the same products, like the M$ sql server issues <not that M$ is the only vendor with products that sink time and again>? What 'new types of vulnerabilities' are being discovered? [SNIP] Thanks, Ron DuFresne [1] http://sysinfo.com/iworms.html (our shameless plug) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
Current thread:
- Re: it\'s all about timing, (continued)
- Re: it\'s all about timing Ron DuFresne (Aug 02)
- Re: it\'s all about timing full-disclosure () lists netsys com (Aug 02)
- Re: it\'s all about timing full-disclosure () lists netsys com (Aug 02)
- Re: it\'s all about timing full-disclosure () lists netsys com (Aug 02)
- Re: it\'s all about timing full-disclosure () lists netsys com (Aug 05)
- Re: it\'s all about timing Steven M. Christey (Aug 05)
- Re: it\'s all about timing Steven M. Christey (Aug 05)
- Re: it\'s all about timing Steven M. Christey (Aug 05)
- Re: it\'s all about timing Steven M. Christey (Aug 05)
- Re: it\'s all about timing Steven M. Christey (Aug 05)
- Re: it\'s all about timing Ron DuFresne (Aug 05)
- Re: it\'s all about timing full-disclosure () lists netsys com (Aug 07)
- Re: it\'s all about timing full-disclosure () lists netsys com (Aug 07)
- Re: it\'s all about timing full-disclosure () lists netsys com (Aug 07)
- Re: it\'s all about timing full-disclosure () lists netsys com (Aug 07)