Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

it's all about timing

From: full-disclosure () lists netsys com (Timothy J.Miller)
Date: Thu, 1 Aug 2002 09:54:57 -0500
On Wednesday, July 31, 2002, at 04:26 PM, Florin Andrei wrote:


                                                      But every security problem
(especially when it's accompanied by an exploit) should be reported
first to the vendor! There should be no exception from this rule. The
person doing the reporting should give the vendor a reasonable period of
time to fix it; say, a few weeks or so.


I can't agree.  In my day job I maintain systems for a defense agency, 
and I *have* to know what my exposures are *at all times*, whether a fix 
exists or not, since lives can be dependent (directly or indirectly) on 
the availability and integrity of my systems.

Without this information, I can't mitigate my risk.  Leaving *my* risk 
in the hands of a vendor-- who has a vested interest in *not* letting me 
know-- is wrong.

-- Cerebus
Previous By Date Next
Previous By Thread Next

Current thread: