Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Re: Full Disclosure != Exploit Release

From: "Richard M. Smith" <rms () computerbytesman com>
Date: Wed, 29 Jan 2003 14:32:23 -0500
Paul,

It happens to me all the time.  Vendors just loose track of reports of
security holes.  Hell, I even forget about them sometimes.  What wakes
vendors up almost a 100% of the time is a call from a press person or a
message on Bugtraq or Full-disclosure.  However, I've never found it
necessary to publish exploit code to get a vendor's attention.  The
public disclosure of the existence of a problem is good enough.  Once
the press gets involved with an issue, vendors attitudes change
immediately.

Richard

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of hellNbak
Sent: Wednesday, January 29, 2003 12:50 PM
To: Paul Schmehl
Cc: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Re: Full Disclosure != Exploit Release


Paul,

It is 2:30AM in my part of the world (Tokyo) I have been drinking
heavily
and I have a meeting in 4 hours.  So forgive me for not posting the
exact
advisories adn exact examples but in my experiance with the various
mailing lists I have moderated, the various jobs I have held and the
various ohter interests Ihave -- I have ran into vendors willing to
eithe
rthreaten lawsuit or deny all together before they fix a vuln.

This is truly the case.  Perhaps tomorrow afternoon I will send you my
specific examples.

On 29 Jan 2003, Paul Schmehl wrote:


Date: 29 Jan 2003 10:23:23 -0600
From: Paul Schmehl <pauls () utdallas edu>
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] Re: Full Disclosure != Exploit Release

On Wed, 2003-01-29 at 06:13, David Howe wrote:


That is of course your choice. Vendors in particular were prone to

deny

a vunerability existed unless exploit code were published to prove

it.


I've read this mantra over and over again in these discussions, and a
question occurs to me.  Can anyone provide a *documented* case where a
vendor refused to produce a patch **having been properly notified of a
vulnerability** until exploit code was released?

Definitions:

"properly notified" means that the vendor received written

notification

at a functional address (either email or snail mail) *and* responded
(bot or human) so that the sender knows the message was received.

"documented" means that there is proof both of proper notification

*and*

that a patch was not released in a timely manner

"timely" means within two weeks of the notification

"vendor" means any company that produces publicly available software -
open source or commercial

Caveats:

You cannot use a case where exploit code was released at the same time
the vulnerability announcement was made *or* within two weeks of the
announcement (see "timely")

I'm not saying this doesn't occur.  Just that it has the smell of

urban

legend and justification for actions taken.




-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak () nmrc org
http://www.nmrc.org/~hellnbak

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: