Re: Scanners and unpublished vulnerabilities - Full Disclosure

[Drew <simonis () myself com>]

Alfred Huger wrote:
> Heya all,
>
> Most of you who are long time users of this list know I tend to avoid
> conversations on-list about full-disclosure. I'm of the opinion it's a
> religious discussion with little or no merit for debate given that people
> are unlikely to move from their current position.
>
> Having said this every now and then something does occur within our
> industry to spur discussion. In this case I came across something which
> directly impacts the Pen-Testing arena and I would like to throw it out
> for open discussion. The event in question is a new Vendor Notification
> Alert Scheme the folks over at NGSSoftware announced yesterday. The
> announcement can (and should be) read at:
>
> http://www.nextgenss.com/news/vna.html


Seems to me like a thinly vieled marketing announcment.  Worked, too.  

I don't notice anything _too_ radically seperated from well known 
vulnerability disclosure methods, with the singular exception that 
they do not make accomodations for a responsive vendor who has not 
yet released a patch, which is on contrast to the RFPolicy, a well
known disclosure roadmap, and the referenced Christey-Wysopal policy.

I read it as "Buy our scanner and you'll have access to vulnerabilities
others don't yet have".


-Ds

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/