it's all about timing

[full-disclosure () lists netsys com (full-disclosure () lists netsys com)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nobody needs to do a damn thing. If I am sitting watching my monitor and it blows up in my face, do you really think I 
am going to tip toe and around and quietly tell the manufacturer that his product is flawed, allow him to ::secretly:: 
fix it. Or the software vendor who's junk database deletes everything on the 1st of every 6 month due to some sloppy 
programming on their part? Why pussy-foot around, you're paying hundreds of thousands of dollars for over priced 
product. The vendors aren't ::giving:: it away for free to you. Money from your pocket goes into theirs for an exchange 
of goods. You're buying something they are selling. And they had better make damn sure what they are selling works as 
advertised.

The time is to sure the vendors. Demand a refund. Get your money back if it's broken. What the hell is this paying 
them, then creeping around in the shadows fixing the shit they just sold you, for them.

Grow some backbone. Expose all the flaws at once. No mercy. Full-Disclosure - believe in it.

Fuck Hewlett Packard take the Digital Millennium Copyright Act and shove it up your ass Kent Ferson, your stocks are 
going to go down down down down. Your going to get fired over this you lame fuck.



- ----- Original Message -----
From: Eric N. Valor
To: full-disclosure () lists netsys com
Sent: Wednesday, July 31, 2002 11:06 PM
Subject: RE: [Full-disclosure] it's all about timing



I believe, depending on severity of the vulnerability, that one week should
be sufficient for at least vendor response prior to publically leaking
information about said vulnerability.  This does not mean releasing exploit
code, only general information about the vuln so that educated readers can
understand what's going on.

If no vendor responses occur, then release of information should occur.  If
there is vendor response indicating an attempt to work the issue, then more
time should of course be given (again, depending on severity of the issue).

Holes in this would include exactly *how* the vendor was contacted
(midnight messages left in the general company voicemail don't count, etc.)
and whether any follow-up attempts were made.  Also, a vanilla vendor
response to the effect of "Thank you for the information.  We'll look into
it.  Don't call us, we'll call you" is an effective NOOP.

Are we enough of an ad-hoc "authority" to attempt to determine a proper
course of action for these instances?  Codifying this (even if it's just a
"gentlemen's agreement") would most definitely be A Good Thing.
- --
Eric N. Valor
ericv () cruzio com
PGP Key 2048/1024 227B04CB
Key Fingerprint = 766C CA15 0FFF E54B 2FEE  C7D7 0F87 3AFB 227B 04CB

: This Space Intentionally Left Blank :

_______________________________________________
Full-Disclosure - We believe in it.
Full-Disclosure () lists netsys com
http://lists.netsys.com/mailman/listinfo/full-disclosure
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wmYEARECACYFAj1IsZAfHGNob29zZS5hLnVzZXJuYW1lQGh1c2htYWlsLmNvbQAKCRDT
5JkCl0iMkPFiAKCFxeGWL5ypYFWinmQuBybxI1lUVgCfXWbjCLR42KDgaetDzrR5FvjA
UP4=
=SwZl
-----END PGP SIGNATURE-----


Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople