Re: Scanners and unpublished vulnerabilities - Full Disclosure

[Muhammad Faisal Rauf Danka <mfrd () attitudex com>]

This will benefit nobody but the company itself and It's customers.
I dont find it very bad, besides this company has an offer which will (somehow) help pen-testers, security 
administrators / consultants, so why don't we expect them to raise financial benefits from it? 

Hate towards them is just like hate towards BillGates, BillGates is alive and kicking, let them do that as well.

the following para from the NGSS website seems so sensible:
> > > > The VNA system addresses goal (2) by ensuring the transparency of the patch process. It is in the customer's 
> > > > interests that all security issues in a particular vendor's software are clearly stated; historically this has not 
> > > > always been the case, and vendors have "rolled up" many security patches into a single patch, "service pack" or 
> > > > release. The VNA system encourages a finer granularity for the identification of security problems, thereby 
> > > > allowing customers to identify all of the problems relating to a particular product, and not just the number of 
> > > > patches. This obviously assists in goal (3). 

----

So I guess it's all good, those who won't use it will still survive, most of the pen testers will still continue to use 
old known bugs for their work. As far as for NGSS to think of keeping their vuln-info inside their scanners is 
concerned, I don't think it can be achieved, people with reverse engineering / sniffing etc, will get to the info, so 
that would be a lost call.

Atlast , It's just another product / service, It won't bother anyone (except slow patching vendors) in my opinion (but 
hey i maybe completely wrong).  =) 

Regards, 
---------
Muhammad Faisal Rauf Danka

Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk
voice: 92-021-111-GEMNET

Vice President
Pakistan Computer Emergency Responce Team (PakCERT)
web: www.pakcert.org

Chief Security Analyst
Applied Technology Research Center (ATRC)
web: www.atrc.net.pk
voice: 92-21-4980523 92-21-4974781 

"Great is the Art of beginning, but Greater is the Art of ending. "

------END GEEK CODE BLOCK------ 
Version: 3.1 
GCS/CM/P/TW d- s: !a C++ L$ U+++ P+ L+++ 
E--- W+ N+ o+ K- w-- O- PS PE- Y- PGP+ t+ X R 
tv+ b++ DI+ D G e++ h! r+ y+ 
------END GEEK CODE BLOCK------


--- Alfred Huger <ah () securityfocus com> wrote:
> <SNIP>

_____________________________________________________________
---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
---------------------------

_____________________________________________________________
Promote your group and strengthen ties to your members with email () yourgroup org by Everyone.net  
http://www.everyone.net/?btn=tag

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/