Full Disclosure mailing list archives
Re: Announcing new security mailing list
From: full-disclosure () lists netsys com (John Cartwright)
Date: Thu, 11 Jul 2002 14:57:26 +0100
On Thu, Jul 11, 2002 at 01:42:16PM +0200, Simon Richter wrote: Simon, You may wish to subscribe to the list so that you and others may debate this issue. The list is configured so that non-members may not post.
To me, the term "full disclosure" does not mean "make it available as fast as possible", but rather "here is the information, expect it to leak in the next two weeks, so go out and fix the bug". The current bugtraq scheme enforces that, and I believe they are doing a great job.
We are placing the responsibility with the individual, not with an organisation here. What we do not believe in is having a situation where a select few are aware of a problem, but 99% of the internet populace are powerless to defend against it. We are not saying that the vendor should not be informed, we are saying, inform the people and the vendor simultaneously.
By creating a forum in which vulnerability spotters can get "instant fame", you are forcing software vendors to monitor the forum 24/7, as a new vulnerability in their software could be disclosed anytime, and at the moment it is disclosed, script kiddies are hacking it into their scanners while it could be 4 am in the vendor's timezone. If we are lucky enough that the vulnerability is spotted by a whitehat, we should not jeopardize the time advantage we have by announcing it publically.
This situation already occurs. If a researcher leaks information to a few 'allies', if a technique is discovered 'in the wild', or if a vendor silently fixes unknown problems, then there are those who possess the knowledge and those that don't. We are simply providing a forum for those who wish to try and balance out this situation.
In short, I think this is a bad idea because it adds confusion for the vulnerability spotters, risks early disclosure before fixes are available and thus harms the users.
Early disclosure is important, IMO, as was proved with the recent Apache flaw. I believe there were reports of Gobbles' exploit being active in the wild long before the patched packages were available, and being alerted to the problem even if there was no fix would have at least given admins a 'heads-up' and allowed people to make informed business decisions. Of course, this is our personal opinion, but we hope that others concur and wish to share in our resource. - John
Current thread:
- Re: Announcing new security mailing list Simon Richter (Jul 11)
- Re: Announcing new security mailing list John Cartwright (Jul 11)
- Re: Announcing new security mailing list Steve (Jul 11)
- Re: Announcing new security mailing list Simon Richter (Jul 11)
- Re: Announcing new security mailing list Kurt Seifried (Jul 11)
- Re: Announcing new security mailing list Ron DuFresne (Jul 11)
- Re: Announcing new security mailing list John Cartwright (Jul 11)
- Re: Announcing new security mailing list Blue Boar (Jul 11)
- Re: Announcing new security mailing list Marc Slemko (Jul 11)
- Re: Announcing new security mailing list Ron DuFresne (Jul 11)
- Re: Announcing new security mailing list Lupe Christoph (Jul 12)
- Re: Announcing new security mailing list martin f krafft (Jul 13)
- Re: Announcing new security mailing list V K (Jul 13)
- Re: Announcing new security mailing list Marc Slemko (Jul 11)