Full Disclosure mailing list archives
RE: Our Industry Is Seriously Ethics Impaired
From: "Williams, James K" <James.Williams () ca com>
Date: Wed, 27 Jul 2005 19:34:51 -0400
List: full-disclosure Subject: RE: [Full-disclosure] Our Industry Is Seriously Ethics Impaired From: security curmudgeon <jericho () attrition ! org> Date: 2005-07-27 21:30:22 Message-ID: Pine.LNX.4.63.0507271728130.13422 () forced ! attrition ! org On Wed, 27 Jul 2005, DAN MORRILL wrote: : So is 3com willing to lean on Oracle or Microsoft, or Real, : or anyone else to get the patch done in a reasonable time : frame? So that the finder of the issue does not get bored : or angry or worried that someone else will discover it and : then claim full credit for it? Why would they lean on any vendor? It is in their best interest to let the vendor take as long as they want to fix an issue. Remember that they share this information with their paying clients, so the longer it is "0-day", the longer it is "exclusive" to 3com/clients, the more value it has. Pushing on a vendor to patch it faster doesn't do them near as much good in the end.
Yes, there is value in sharing it first with the paying customers, but there is also great value in eventually disclosing it to the public. Public disclosure == advertising, for both the vuln buyer and the vuln discoverer. I've found that commercial entities who deal in 3rd party vulnerabilities usually want to share with the public after a few weeks/months. Commercial entities who sell vuln audit/scanner/pen-test software usually don't want to share all of their exploit code or vulnerability information though. They want to share just enough to get people interested in their products/services. The only entities who may have no interest in disclosure are: - the vendors who made and sell the vulnerable products - people who practice non-disclosure on principle - exploit hoarders (everybody needs a secret stash of 0-day) - vendors who sell vuln audit/scanner/pen-test software So, I guess we will have to wait and see exactly what 3Com plans to do with the vuln info. Regards, kw Ken Williams ; Vulnerability Research Computer Associates ; 0xE2941985 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: Our Industry Is Seriously Ethics Impaired Madison, Marc (Jul 27)
- <Possible follow-ups>
- RE: Our Industry Is Seriously Ethics Impaired Williams, James K (Jul 27)
- Re: Our Industry Is Seriously Ethics Impaired Christoph Gruber (Jul 29)