, SecurityFocus 2003-11-23
Security pros gathering at a Stanford University Law School conference on responsible vulnerability disclosure Saturday harmonized on the principle that vendors should be privately notified of holes in their products, and given at least some time to produce a patch before any public disclosure is made. But there was pronounced disagreement on the question of whether or not researchers should publicly release proof-of-concept code to demonstrate a vulnerability.
Expand all |
Post comment
Having exploits to software that I'm running is the only way I can reasonably test security measures I have in place, since investigating and developing security exploits is not feasable without a huge budget. One way to get a huge budget is to sell your discoveries to professional criminals, the other is to let everyone hand out their discoveries freely, that way each organization only foots a small portion of the overall bill to discover all the known security problems.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/articles/7511/23824#23824