Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [SE-2012-01] information regarding recently discovered Java 7 attack

From: Jeffrey Walton <noloader () gmail com>
Date: Wed, 29 Aug 2012 14:53:28 -0400
On Wed, Aug 29, 2012 at 2:40 PM, Security Explorations
<contact () security-explorations com> wrote:


On 2012-08-29 18:10, Jeffrey Walton wrote:


Have you reported the issues to US Cert?



No. Per our Disclosure Policy, we stick to reporting issues to original
vendors only.

Perhaps its time to update the disclosure policy. It does not seem to
be working as intended. Hindsight being 20/20, it makes sense since it
appears the "foxes are guarding the henhouse." I believe its the
reason for Bugtraq and Full Disclosure.

At minimum, it seems appropriate to include US Cert (or other Cert's)
once a good faith effort has been made to have the vendor fix the
defects. Vendors can string folks like you and I along, but they have
less success with folks like country-wide cert's.

I once used DE Cert to report some issues with GnuPG on Windows.
Interestingly, I was asked to provide funding for the fix even though
I submitted sample code demonstrating the fix. (Crowd sourcing is a
myth - don't drink the Kool-aide).

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: