Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Publishing exploit code - what is it good for

From: "John Horn" <John.Horn () tucsonaz gov>
Date: Thu, 30 Jun 2005 10:40:37 -0700
As the security officer for our organization, I find full disclosure 
to be an indispensable part of our software selection process. Software
that has not been thoroughly examined and tested is considered strongly
suspect by our organization and is not likely to find its way to our
short
list.

Without the exploit code, we have only some unknown person's suggestion 
that the software is vulnerable. Without the code, it becomes difficult
to 
discern the difference between a legitimate exploit and someone's
personal
bias against a particular company or software package. 

With the exploit code we can independently verify the vulnerability -
thus 
increasing our internal confidence in the opinions of the researcher and

the researcher's organization (if any).

The code is indispensable. Period.
 
 
 

Aviram Jenik <aviram () beyondsecurity com> 06/30 6:13 am >>> 

Hi, 
 
I recently had a discussion about the concept of full disclosure with
one of 
the top security analysts in a well-known analyst firm. Their claim was
that 
companies that release exploit code (like us, but this is also relevant
for 
bugtraq, full disclosure, and several security research firms) put users
at 
risks while those at risk gain nothing from the release of the exploit. 
 
I tried the regular 'full disclosure advocacy' bit, but the analyst
remained 
reluctant. Their claim was that based on their own work experience, a 
security administrator does not have a need for the exploit code itself,
and 
the vendor information is enough. The analyst was willing to reconsider
their 
position if an end-user came forward and talked to them about their own 
benefit of public exploit codes. Quote: " If I speak to an end-user 
organization and they express legitimate needs for exploit code, then
I'll 
change my opinion." 
 
Help me out here. Full disclosure is important for me, as I'm sure it is
for 
most of the people on these two lists. If you're an end-user
organization and 
are willing to talk to this analyst and explain your view (pro-FD, I
hope), 
drop me a note and I'll put you in direct contact. 
 
Please note: I don't need any arguments pro or against full disclosure;
all 
this has been discussed in the past. I also don't need you to tell me
about 
someone else or some other project (e.g. nessus, snort) that utilizes
these 
exploits. Tried that. Didn't work. 
 
What I need is a security administrator, CSO, IT manager or sys admin
that can 
explain why they find public exploits are good for THEIR organizations.
Maybe 
we can start changing public opinion with regards to full disclosure,
and 
hopefully start with this opinion leader. 
 
TIA. 
 
-- 
Aviram Jenik 
Beyond Security 
 
http://www.BeyondSecurity.com 
http://www.SecuriTeam.com 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: