Full Disclosure mailing list archives
Re: [SE-2012-01] information regarding recently discovered Java 7 attack
From: Jeffrey Walton <noloader () gmail com>
Date: Wed, 29 Aug 2012 14:53:28 -0400
On Wed, Aug 29, 2012 at 2:40 PM, Security Explorations <contact () security-explorations com> wrote:
On 2012-08-29 18:10, Jeffrey Walton wrote:Have you reported the issues to US Cert?No. Per our Disclosure Policy, we stick to reporting issues to original vendors only.
Perhaps its time to update the disclosure policy. It does not seem to be working as intended. Hindsight being 20/20, it makes sense since it appears the "foxes are guarding the henhouse." I believe its the reason for Bugtraq and Full Disclosure. At minimum, it seems appropriate to include US Cert (or other Cert's) once a good faith effort has been made to have the vendor fix the defects. Vendors can string folks like you and I along, but they have less success with folks like country-wide cert's. I once used DE Cert to report some issues with GnuPG on Windows. Interestingly, I was asked to provide funding for the fix even though I submitted sample code demonstrating the fix. (Crowd sourcing is a myth - don't drink the Kool-aide). Jeff _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [SE-2012-01] information regarding recently discovered Java 7 attack Security Explorations (Aug 28)
- Re: [SE-2012-01] information regarding recently discovered Java 7 attack Jeffrey Walton (Aug 29)
- Re: [SE-2012-01] information regarding recently discovered Java 7 attack Security Explorations (Aug 31)
- Re: [SE-2012-01] information regarding recently discovered Java 7 attack Jeffrey Walton (Aug 29)
- Re: [SE-2012-01] information regarding recently discovered Java 7 attack Jacqui Caren (Aug 30)
- Re: [SE-2012-01] information regarding recently discovered Java 7 attack Security Explorations (Aug 31)
- Re: [SE-2012-01] information regarding recently discovered Java 7 attack Jeffrey Walton (Aug 29)
- Re: [SE-2012-01] information regarding recently discovered Java 7 attack Tim (Aug 29)
- Re: [SE-2012-01] information regarding recently discovered Java 7 attack Security Explorations (Aug 31)
- Re: [SE-2012-01] information regarding recently discovered Java 7 attack Jeffrey Walton (Aug 31)
- Re: [SE-2012-01] information regarding recently discovered Java 7 attack Security Explorations (Aug 31)
- [SE-2012-01] New security issue affecting Java SE 7 Update 7 Security Explorations (Aug 31)