[Fwd: Scanners and unpublished vulnerabilities - Full Disclosure]

[E <j46 () btinternet com>]

> --- Begin Message ---
>
>
> From: E <j46 () btinternet com>
>
> Date: Tue, 28 May 2002 18:45:47 +0000
>
> This seems like nothing more than yet another case of a security company using
> the release
> of vulnerabilities to raise its profile. If they release to the general public
> the information
> after 1 week, who benefits? Since a patch may not be available, the end user
> certainly isnt
> the winner in this situation, infact the only winner is the company releasing
> the information.
>   If you coordinate with the vendor and wait until a patch is ready, this would
> seem to be the
> most ethical approach. Releasing vulnerability information before the vendor
> has released a
> patch is irresponsible and reveals the true self-promoting motives of the
> person releasing the
> information.
>  If the vendor does not release a patch within your specific "time frame", it
> is their problem and
> not yours, it does not give you the right to release the info just because you
> want to. All you
> do is put the vendors users at increased risk.
>
> This URL strikes me as being totally irresponsible and pointlesss...
>
> When are people going to stop acting in their own financial best interests and
> begin acting in the
> interests of the community?
>
>
> Alfred Huger wrote:
>
> > Heya all,
> >
> > Most of you who are long time users of this list know I tend to avoid
> > conversations on-list about full-disclosure. I'm of the opinion it's a
> > religious discussion with little or no merit for debate given that people
> > are unlikely to move from their current position.
> >
> > Having said this every now and then something does occur within our
> > industry to spur discussion. In this case I came across something which
> > directly impacts the Pen-Testing arena and I would like to throw it out
> > for open discussion. The event in question is a new Vendor Notification
> > Alert Scheme the folks over at NGSSoftware announced yesterday. The
> > announcement can (and should be) read at:
> >
> > http://www.nextgenss.com/news/vna.html
> >
> > In brief they are now unloading limited details to the public about
> > vulnerabilities they have notified vendors about. Their reasoning behind
> > this is well thought out and I suggest you read the announcement before
> > jumping to a visceral conclusion one way or another. The way this impacts
> > the Pen-testing community is that these vulnerabilities which are in the
> > process (presumably) of being fixed are actively being coded into the
> > Typhon II Vulnerability Assessment Scanner from NGSSoftware. This
> > obviously is a significant issue which I suspect many of you out there
> > have opinions on. I have my own but I'll hold out on commenting till the
> > conversation gets under way (if it actually does so).
> >
> > Lastly, before you post a reply - please read the provided URL. And for
> > those of you who are entirely disinterested in threads like this, please
> > accept my apologies in advance.
> >
> > -al
> >
> > VP Engineering
> > SecurityFocus
> > "Vae Victis"
> >
> > ----------------------------------------------------------------------------
> > This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> > Service. For more information on SecurityFocus' SIA service which
> > automatically alerts you to the latest security vulnerabilities please see:
> > https://alerts.securityfocus.com/
>
>
>
> --- End Message ---
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/