Full Disclosure mailing list archives

RE: Information Week: 2/3 of pros want immediate disclosure

From: "Ingevaldson, Dan (ISS Atlanta)" <dsi () iss net>
Date: Thu, 8 Jul 2004 14:16:33 -0400

Figures lie and liars figure.  It's all in the way the question was
phrased:

"When should software vendors disclose software vulnerabilities to their
customers?" This was the wording in the InfomationWeek article that
Steve posted.  66% said "immediately".  

What would the results look like if you asked a loaded question that
leaned in the other direction?

"Should software vendors disclose information about software
vulnerabilities to the global hacking community at the same time as all
their customers who haven't yet implemented a working patch management
process?"

I imagine the results would be slightly different.  Take this study with
a grain of salt.

------------------
Daniel Ingevaldson
Director, X-Force R&D/PSS
dsi () iss net 
404-236-3160
 
Internet Security Systems, Inc.
Ahead of the Threat
http://www.iss.net
 

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Ron
DuFresne
Sent: Thursday, July 08, 2004 12:04 PM
To: Steven M. Christey
Cc: Full-Disclosure () lists netsys com
Subject: Re: [Full-disclosure] Information Week: 2/3 of pros want
immediate disclosure


Which adds to the full disclosure debate a resounding, disclose asap.
And shows that many in the industry feel this is needed to not only
address issues in their envs as quickly as possible to mitigate problems
until a fix/poatch is available, but, that most feel dicslosure puts the
pressure on their vendors to respond to issues as they become discolsed.

Thanks,

Ron DuFresne

On Wed, 7 Jul 2004, Steven M. Christey wrote:


Information Week just posted an article titled "Disclosure: Security 
Pros Want Flaw Information Sooner" in which they surveyed 7,000 
business technogology and security professionals.  66% argued for 
immediate disclosure upon discovery, and another 32% wanted disclosure

once a patch was available, leaving only 2% who said that there was no

need to disclose vulnerabilities at all:

  
http://www.informationweek.com/story/showArticle.jhtml?articleID=22103
495

- Steve

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Information Week: 2/3 of pros want immediate disclosure Steven M. Christey (Jul 07)
- Re: Information Week: 2/3 of pros want immediate disclosure Ron DuFresne (Jul 08)
- <Possible follow-ups>
- RE: Information Week: 2/3 of pros want immediate disclosure Ingevaldson, Dan (ISS Atlanta) (Jul 08)
  - Re: Information Week: 2/3 of pros want immediate disclosure Jason Coombs (Jul 09)