Full Disclosure mailing list archives

RE: Our Industry Is Seriously Ethics Impaired

From: "Williams, James K" <James.Williams () ca com>
Date: Wed, 27 Jul 2005 19:34:51 -0400

List:       full-disclosure
Subject:    RE: [Full-disclosure] Our Industry Is Seriously 
Ethics Impaired
From:       security curmudgeon <jericho () attrition ! org>
Date:       2005-07-27 21:30:22
Message-ID: Pine.LNX.4.63.0507271728130.13422 () forced ! 
attrition ! org

On Wed, 27 Jul 2005, DAN MORRILL wrote:

: So is 3com willing to lean on Oracle or Microsoft, or Real, 
: or anyone else to get the patch done in a reasonable time 
: frame? So that the finder of the issue does not get bored 
: or angry or worried that someone else will discover it and 
: then claim full credit for it?

Why would they lean on any vendor? It is in their best 
interest to let the vendor take as long as they want to fix an
issue. 

Remember that they share this information with their paying 
clients, so the longer it is "0-day", the longer it is 
"exclusive" to 3com/clients, the more value it has. Pushing on
a vendor to patch it faster doesn't do them near as much good
in the end.

 
Yes, there is value in sharing it first with the paying 
customers, but there is also great value in eventually disclosing
it to the public.  Public disclosure == advertising, for both 
the vuln buyer and the vuln discoverer.  I've found that 
commercial entities who deal in 3rd party vulnerabilities usually
want to share with the public after a few weeks/months.  
Commercial entities who sell vuln audit/scanner/pen-test software
usually don't want to share all of their exploit code or 
vulnerability information though.  They want to share just enough
to get people interested in their products/services.

The only entities who may have no interest in disclosure are:

- the vendors who made and sell the vulnerable products
- people who practice non-disclosure on principle
- exploit hoarders (everybody needs a secret stash of 0-day)
- vendors who sell vuln audit/scanner/pen-test software

So, I guess we will have to wait and see exactly what 3Com
plans to do with the vuln info.

Regards,
kw
                                                          
Ken Williams ; Vulnerability Research 
Computer Associates ; 0xE2941985

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

RE: Our Industry Is Seriously Ethics Impaired Madison, Marc (Jul 27)
- <Possible follow-ups>
- RE: Our Industry Is Seriously Ethics Impaired Williams, James K (Jul 27)
  - Re: Our Industry Is Seriously Ethics Impaired Christoph Gruber (Jul 29)