Full Disclosure mailing list archives

Re: Re: Full Disclosure != Exploit Release

From: Georgi Guninski <guninski () guninski com>
Date: Wed, 29 Jan 2003 20:49:47 +0200

Paul Schmehl wrote:

On Wed, 2003-01-29 at 06:13, David Howe wrote:

That is of course your choice. Vendors in particular were prone to deny
a vunerability existed unless exploit code were published to prove it.



I've read this mantra over and over again in these discussions, and a
question occurs to me.  Can anyone provide a *documented* case where a
vendor refused to produce a patch **having been properly notified of a
vulnerability** until exploit code was released?

Definitions:

"properly notified" means that the vendor received written notification
at a functional address (either email or snail mail) *and* responded
(bot or human) so that the sender knows the message was received.

"documented" means that there is proof both of proper notification *and*
that a patch was not released in a timely manner

"timely" means within two weeks of the notification

IIRC micro$oft never fixed any of my reports in "timely" manner according toyour definitions. Somewhere on www.guninski.com you may see they didn't fix areproducible exploit in a lot of months.

Another recent example is the "shatter" exploit, which was first denied to be a bug.

Georgi Guninski
http://www.guninski.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: [Secure Network Operations, Inc.] Full Disclosure Conclusion?, (continued)
- - - Re: [Secure Network Operations, Inc.] Full Disclosure Conclusion? yossarian (Jan 29)
    - RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release hellNbak (Jan 29)
    - Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Blue Boar (Jan 29)
    - Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Rick Updegrove (security) (Jan 29)
    - RE: RE : [Secure Network Operations, Inc.] FullDisclosure != Exploit Release Geo (Jan 29)
    - RE: RE : [Secure Network Operations, Inc.] FullDisclosure != Exploit Release Strategic Reconnaissance Team (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release David Howe (Jan 29)
  - Re: Full Disclosure != Exploit Release Paul Schmehl (Jan 29)
    - Re: Re: Full Disclosure != Exploit Release hellNbak (Jan 29)
    - RE: Re: Full Disclosure != Exploit Release Richard M. Smith (Jan 29)
    - Re: Re: Full Disclosure != Exploit Release Georgi Guninski (Jan 29)
    - Re: Re: Full Disclosure != Exploit Release KF (Jan 29)
    - Re: Re: Full Disclosure != Exploit Release Blue Boar (Jan 29)
  - Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release ATD (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Georgi Guninski (Jan 29)
  - Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Strategic Reconnaissance Team (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Florian Weimer (Jan 29)
  - Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Strategic Reconnaissance Team (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release backed . up . by . 2048 . bit . encryption (Jan 29)
  - RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Richard M. Smith (Jan 29)
    - RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Ron DuFresne (Jan 29)

(Thread continues...)