Penetration Testing mailing list archives

Re: Scanners and unpublished vulnerabilities - Full Disclosure

From: Drew <simonis () myself com>
Date: Wed, 29 May 2002 09:32:44 -0400



| Seems to me like a thinly vieled marketing announcment.  Worked, too.
|
| I don't notice anything _too_ radically seperated from well known
| vulnerability disclosure methods, with the singular exception that
| they do not make accomodations for a responsive vendor who has not
| yet released a patch, which is on contrast to the RFPolicy, a well
| known disclosure roadmap, and the referenced Christey-Wysopal policy.
|
| I read it as "Buy our scanner and you'll have access to
vulnerabilities
| others don't yet have".
|


I couldn't agree more. I personally see it as a ploy touting the 
fact that their purchasable product will now and then be able to 
look for some vulnerabilities that other products wont be able to.


And this is wrong how? If David can protect his customers on a pro-active
basis and allow them assess their own risk I can't see how you find fault
in it.



My original point was not that this is wrong or right.  I wasn't 
trying to make any value judgments on the merit of this process,
but instead on the overall technical value of the announcement.

It is rather like my announcement that I my name is Drew Simonis,
but I've decided to spell it "Drew simonis".  (note the lowercase!)
I hardly think this would start a rollicking discussion or new group
in alt.genealogy.surnames.*

In short, there is nothing of value in the announcement.  They are 
telling us that they are going to follow well known disclosure policies.
Isn't that a given for a respectable company?  This is why I 
characterized the announcement as a marketing ploy... for the lack of 
content, not the value of the content.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Re: Scanners and unpublished vulnerabilities - Full Disclosure, (continued)
- - Re: Scanners and unpublished vulnerabilities - Full Disclosure Brad Mills (May 29)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure batz (May 29)
  - Re: Scanners and unpublished vulnerabilities - Full Disclosure David Litchfield (May 29)
    - Re: Scanners and unpublished vulnerabilities - Full Disclosure batz (May 29)
    - Re: Scanners and unpublished vulnerabilities - Full Disclosure Jon Bull (May 30)
    - Re: Scanners and unpublished vulnerabilities - Full Disclosure David Litchfield (May 30)
    - Re: Scanners and unpublished vulnerabilities - Full Disclosure hellNbak (May 30)
    - Re: Scanners and unpublished vulnerabilities - Full Disclosure J Jacoby (May 31)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure David Litchfield (May 28)
- RE: Scanners and unpublished vulnerabilities - Full Disclosure Alfred Huger (May 28)
  - Re: Scanners and unpublished vulnerabilities - Full Disclosure Drew (May 29)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure Alfred Huger (May 28)
  - Re: Scanners and unpublished vulnerabilities - Full Disclosure Patrik Birgersson (May 29)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure Muhammad Faisal Rauf Danka (May 29)
- Re: Scanners and unpublished vulnerabilities - Full Disclosure zol (May 29)
  - Re: Scanners and unpublished vulnerabilities - Full Disclosure Philippe De ARAUJO (May 30)
- Fw: Scanners and unpublished vulnerabilities - Full Disclosure Jon Bull (May 31)
  - RE: Scanners and unpublished vulnerabilities - Full Disclosure Samuel Cure (May 31)
- RE: Scanners and unpublished vulnerabilities - Full Disclosure Ballowe, Charles (May 31)