Full Disclosure mailing list archives
RE: Information Week: 2/3 of pros want immediate disclosure
From: "Ingevaldson, Dan (ISS Atlanta)" <dsi () iss net>
Date: Thu, 8 Jul 2004 14:16:33 -0400
Figures lie and liars figure. It's all in the way the question was phrased: "When should software vendors disclose software vulnerabilities to their customers?" This was the wording in the InfomationWeek article that Steve posted. 66% said "immediately". What would the results look like if you asked a loaded question that leaned in the other direction? "Should software vendors disclose information about software vulnerabilities to the global hacking community at the same time as all their customers who haven't yet implemented a working patch management process?" I imagine the results would be slightly different. Take this study with a grain of salt. ------------------ Daniel Ingevaldson Director, X-Force R&D/PSS dsi () iss net 404-236-3160 Internet Security Systems, Inc. Ahead of the Threat http://www.iss.net -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Ron DuFresne Sent: Thursday, July 08, 2004 12:04 PM To: Steven M. Christey Cc: Full-Disclosure () lists netsys com Subject: Re: [Full-disclosure] Information Week: 2/3 of pros want immediate disclosure Which adds to the full disclosure debate a resounding, disclose asap. And shows that many in the industry feel this is needed to not only address issues in their envs as quickly as possible to mitigate problems until a fix/poatch is available, but, that most feel dicslosure puts the pressure on their vendors to respond to issues as they become discolsed. Thanks, Ron DuFresne On Wed, 7 Jul 2004, Steven M. Christey wrote:
Information Week just posted an article titled "Disclosure: Security Pros Want Flaw Information Sooner" in which they surveyed 7,000 business technogology and security professionals. 66% argued for immediate disclosure upon discovery, and another 32% wanted disclosure
once a patch was available, leaving only 2% who said that there was no
need to disclose vulnerabilities at all: http://www.informationweek.com/story/showArticle.jhtml?articleID=22103 495 - Steve _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Information Week: 2/3 of pros want immediate disclosure Steven M. Christey (Jul 07)
- Re: Information Week: 2/3 of pros want immediate disclosure Ron DuFresne (Jul 08)
- <Possible follow-ups>
- RE: Information Week: 2/3 of pros want immediate disclosure Ingevaldson, Dan (ISS Atlanta) (Jul 08)
- Re: Information Week: 2/3 of pros want immediate disclosure Jason Coombs (Jul 09)