, SecurityFocus 2003-11-23
Security pros gathering at a Stanford University Law School conference on responsible vulnerability disclosure Saturday harmonized on the principle that vendors should be privately notified of holes in their products, and given at least some time to produce a patch before any public disclosure is made. But there was pronounced disagreement on the question of whether or not researchers should publicly release proof-of-concept code to demonstrate a vulnerability.
Expand all |
Post comment
Although this order of action delays the release of "white hat" exploit code, it will still get out if the vendor does nothing. The vendor just is given more than one chance (during private and public notification phases) to address the problem first...
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/articles/7511/23838#23838