Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Scanners and unpublished vulnerabilities - Full Disclosure

From: batz <batsy () vapour net>
Date: Wed, 29 May 2002 14:35:09 -0400 (EDT)
On Wed, 29 May 2002, David Litchfield wrote:

:This comment (and some which follow) indicate you've missed on of the key
:points. When the vendor does release a patch NGSSoftware will follow up with
:full details as normal. The VNA is not intended to replace our normally full
:advisory - it simply exists as an interim solution to 'help' ensure vendors
:release patches in a timely fsahion.

Aah, this wasn't clear to me and (evidently) many others. I'm sure it's 
in there somewhere, but maybe you could emphasize it a bit more?  

:By putting these checks in Typhon, which we've always done, we buy a week or
:two advantage over something like Nessus.

Indeed. I don't see how this process is even inconsistent with the full
disclosure approach. I have admittedly been more of an advocate than a 
practitioner of full disclosure, but maybe someone could point out more
clearly how this will deprive the underground of its toys? ;) 

Cheers, 

--
batz


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: