Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Another new worm???

From: crispin () WIREX COM (Crispin Cowan)
Date: Thu, 22 Jun 2000 20:53:39 -0700

Blue Boar wrote:


Any idea what the qualifications are?  I assume one would have to agree not
to distribute outside of the group.  Would the group let in someone who
was producing a free AV product?


If "free" == "libre" (GPL) then the license would compel disclosure of the
source code, which would in turn disqualify such a project from the requirement
to not distribute information outside the group.  A policy that makes it
impossible to write a GPL'd product says rather clearly that it is a bad policy.


That is the same as saying "we don't hire hackers."  How do you know?
MS tried escrowing exploits once... just once (so far.)  Aleph1 had
a copy of the exploit in less than 24 hours.  Not all the guys working
for the "proper" people follow the policy like you'd like them too.


I'd like more details & references for this incident.  I've proposed a
"vulnerability escrow" procedure (adjudicated by a neutral 3rd party) as a way
to encourage compliance with Rain Forrest Puppy's articulation of sound
vulnerability disclosure practices  http://www.wiretrip.net/rfp/policy.html

Crispin

--
Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
Free Hardened Linux Distribution:                 http://immunix.org
Previous By Date Next
Previous By Thread Next

Current thread: