Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Full Disclosure != Exploit Release

From: "http-equiv () excite com" <http-equiv () malware com>
Date: Wed, 29 Jan 2003 17:07:40 -0000


<!-- Paul Schmehl wrote:

On Wed, 2003-01-29 at 06:13, David Howe wrote:


That is of course your choice. Vendors in particular were prone to 

deny

a vunerability existed unless exploit code were published to prove 

it.

I've read this mantra over and over again in these discussions, and a
question occurs to me.  Can anyone provide a *documented* case where a
vendor refused to produce a patch **having been properly notified of a
vulnerability** until exploit code was released? -->

It is accurate. Even providing the most detailed step-by-step 
instructions to the vendor can yield a blank stare and a request for 
working demonstration. Once submitted, the vendor disappears.  
Thereafter you publish both the detailed step-by-step and the working 
demonstration because you never hear back from the vendor. Or if you 
do hear back, it has been determined by them "not to be an issue".

Happens all the time.



-- 
http://www.malware.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: