, SecurityFocus 2003-11-23
Security pros gathering at a Stanford University Law School conference on responsible vulnerability disclosure Saturday harmonized on the principle that vendors should be privately notified of holes in their products, and given at least some time to produce a patch before any public disclosure is made. But there was pronounced disagreement on the question of whether or not researchers should publicly release proof-of-concept code to demonstrate a vulnerability.
Expand all |
Post comment
Often the source of the exploit code I receive is NOT available to the public (so called 0-day) and stuff that never surfaces on public sites. However we test ALL published code as soon as we can. I find it extremely helpful to me, and my peers to have such code available. Having working exploits is the easiest way for me to get the risk across to the teams that have to do the patching. A higher risk, insures a faster patch pipeline deployment.
TW
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/articles/7511/23836#23836