Full Disclosure mailing list archives
RE: Re: Full Disclosure != Exploit Release
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Wed, 29 Jan 2003 14:32:23 -0500
Paul, It happens to me all the time. Vendors just loose track of reports of security holes. Hell, I even forget about them sometimes. What wakes vendors up almost a 100% of the time is a call from a press person or a message on Bugtraq or Full-disclosure. However, I've never found it necessary to publish exploit code to get a vendor's attention. The public disclosure of the existence of a problem is good enough. Once the press gets involved with an issue, vendors attitudes change immediately. Richard -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of hellNbak Sent: Wednesday, January 29, 2003 12:50 PM To: Paul Schmehl Cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Re: Full Disclosure != Exploit Release Paul, It is 2:30AM in my part of the world (Tokyo) I have been drinking heavily and I have a meeting in 4 hours. So forgive me for not posting the exact advisories adn exact examples but in my experiance with the various mailing lists I have moderated, the various jobs I have held and the various ohter interests Ihave -- I have ran into vendors willing to eithe rthreaten lawsuit or deny all together before they fix a vuln. This is truly the case. Perhaps tomorrow afternoon I will send you my specific examples. On 29 Jan 2003, Paul Schmehl wrote:
Date: 29 Jan 2003 10:23:23 -0600 From: Paul Schmehl <pauls () utdallas edu> To: full-disclosure () lists netsys com Subject: [Full-disclosure] Re: Full Disclosure != Exploit Release On Wed, 2003-01-29 at 06:13, David Howe wrote:That is of course your choice. Vendors in particular were prone to
deny
a vunerability existed unless exploit code were published to prove
it.
I've read this mantra over and over again in these discussions, and a question occurs to me. Can anyone provide a *documented* case where a vendor refused to produce a patch **having been properly notified of a vulnerability** until exploit code was released? Definitions: "properly notified" means that the vendor received written
notification
at a functional address (either email or snail mail) *and* responded (bot or human) so that the sender knows the message was received. "documented" means that there is proof both of proper notification
*and*
that a patch was not released in a timely manner "timely" means within two weeks of the notification "vendor" means any company that produces publicly available software - open source or commercial Caveats: You cannot use a case where exploit code was released at the same time the vulnerability announcement was made *or* within two weeks of the announcement (see "timely") I'm not saying this doesn't occur. Just that it has the smell of
urban
legend and justification for actions taken.
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "I don't intend to offend, I offend with my intent" hellNbak () nmrc org http://www.nmrc.org/~hellnbak -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [Secure Network Operations, Inc.] Full Disclosure Conclusion?, (continued)
- [Secure Network Operations, Inc.] Full Disclosure Conclusion? ATD (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure Conclusion? yossarian (Jan 29)
- RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release hellNbak (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Blue Boar (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Rick Updegrove (security) (Jan 29)
- RE: RE : [Secure Network Operations, Inc.] FullDisclosure != Exploit Release Geo (Jan 29)
- RE: RE : [Secure Network Operations, Inc.] FullDisclosure != Exploit Release Strategic Reconnaissance Team (Jan 29)
- Re: Full Disclosure != Exploit Release Paul Schmehl (Jan 29)
- Re: Re: Full Disclosure != Exploit Release hellNbak (Jan 29)
- RE: Re: Full Disclosure != Exploit Release Richard M. Smith (Jan 29)
- Re: Re: Full Disclosure != Exploit Release Georgi Guninski (Jan 29)
- Re: Re: Full Disclosure != Exploit Release KF (Jan 29)
- Re: Re: Full Disclosure != Exploit Release Blue Boar (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Strategic Reconnaissance Team (Jan 29)
- Re: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Strategic Reconnaissance Team (Jan 29)
- RE: [Secure Network Operations, Inc.] Full Disclosure != Exploit Release Richard M. Smith (Jan 29)