Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [VulnDiscuss] Re: -==phpBB 2.0.14 Multiple Vulnerabilities==-[Scanned]

From: bkfsec <bkfsec () sdf lonestar org>
Date: Mon, 25 Apr 2005 15:45:03 -0400
Steve Friedl wrote:


On Sun, Apr 24, 2005 at 01:23:09PM -0400, Dave Aitel wrote:
Nothing happened to that - it was never true. Those of us who find bugs would really appreciate it if every Microsoft MVP would stop astroturfing these lists about it too. 

You don't care what we think: why would we care what you think?


I don't think he said that at all.
There's a big difference between discussing disclosure etiquette and demanding that one's terms of disclosure etiquette be followed. Those on the "full disclosure sucks" end tend to do the latter.
Frankly, Dave's right - it was never required to inform the vendor. Is it a nice thing to do? Sure. (informing the vendor, that is...) Is it the responsible thing to do? I tend to think so...
But, should one be compelled to do so? I don't think so. Frankly, I'd hate to see what the world would be like if we had to pass our actions through Acme XYZ company whenever we do anything... I mean, I suppose if you like servitude, then having to get permission for everything would make sense...
It comes down to this: when real people find out something or other regarding a product, they should be allowed to share that information without restriction. That's the organic nature of information: live with it because it's not going to change. The alternative is a freeze on information that would amount to the destruction of all information freedom and, ultimately, the death of democracy (if it ever actually existed)...
Now, responsible disclosure is one thing, but there is no requirement to be responsible. And that isn't to say that just disclosing a bug is inherently irresponsible. If the vendor is not responsive or has not been responsive in the past, then I say disclose away. At that point, disclosure is the responsible thing to do.
Neither side bares a rosy picture: full disclosure can result in users being harmed... but those who've spent any remote amount of time amongst real hackers/crackers know that that is no different than the status quo. (Most of them never end up as MS MVPs, btw) The "full disclosure sucks" side of the table results in a concept which forwards the idea that a freeze on information ultimately is a good thing and we should all eat from the corporate trough. I'd take my chances with the status quo, keep the flow of information moving, and use that information to protect myself. 
No offense meant, but can't we all just get along on this little playground?

            -Barry


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: