Secure Coding mailing list archives
Disclosure: vulnerability pimps? or super heroes?
From: jms at bughunter.ca (J. M. Seitz)
Date: Tue, 27 Feb 2007 14:42:49 -0800
Always a great debate, I somewhat agree with Marcus, there are plenty of "pimps" out there looking for fame, and there are definitely a lot of them (us) that are working behind the scenes, taking the time to help the vendors and to stay somewhat out of the limelight. The ying-yang is very fitting. On a related note, does anyone have an example where Company A was disclosing vulnerabilities about competing Company B's product and got into trouble over it? Is this something that could be litigated? JS -----Original Message----- From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of Gary McGraw Sent: Tuesday, February 27, 2007 11:24 AM To: SC-L at securecoding.org Subject: [SC-L] Disclosure: vulnerability pimps? or super heroes? Hi all, The neverending debate over disclosure continued at RSA this year with a panel featuring Chris Wysopl and others rehashing old ground. There are points on both sides, with radicals on one side (say marcus ranum) calling the disclosure people "vulnerability pimps" and radicals on the other saying that computer security would make no progress at all without disclosure. I've always sought some kind of middle ground when it comes to disclosure. The idea is to minimize risk to users of the broken system while at the samne time learning something about security and making sure the system gets fixed. Disclosure is the subject of my latest Darkreading column: http://www.darkreading.com/document.asp?doc_id=118174 What do you think? Should we talk about exploits? Should we out vendors? Is there a line to be drawn anywhere? gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com ---------------------------------------------------------------------------- This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ---------------------------------------------------------------------------- _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
Current thread:
- Disclosure: vulnerability pimps? or super heroes? Gary McGraw (Feb 27)
- Disclosure: vulnerability pimps? or super heroes? J. M. Seitz (Feb 27)
- Disclosure: vulnerability pimps? or super heroes? Blue Boar (Feb 27)
- Disclosure: vulnerability pimps? or super heroes? Steven M. Christey (Mar 05)
- Disclosure: vulnerability pimps? or super heroes? Stuart Moore (Mar 05)
- Disclosure: vulnerability pimps? or super heroes? Michael Silk (Feb 27)
- <Possible follow-ups>
- Disclosure: vulnerability pimps? or super heroes? Gary McGraw (Mar 05)
- Disclosure: vulnerability pimps? or super heroes? Kenneth Van Wyk (Mar 06)
- Disclosure: vulnerability pimps? or super heroes? Blue Boar (Mar 06)
- Disclosure: vulnerability pimps? or super heroes? Steven M. Christey (Mar 06)
- Disclosure: vulnerability pimps? or super heroes? Steven M. Christey (Mar 06)
- Disclosure: vulnerability pimps? or super heroes? Kenneth Van Wyk (Mar 06)
- Disclosure: vulnerability pimps? or super heroes? J. M. Seitz (Feb 27)