, SecurityFocus 2003-11-23
Security pros gathering at a Stanford University Law School conference on responsible vulnerability disclosure Saturday harmonized on the principle that vendors should be privately notified of holes in their products, and given at least some time to produce a patch before any public disclosure is made. But there was pronounced disagreement on the question of whether or not researchers should publicly release proof-of-concept code to demonstrate a vulnerability.
Expand all |
Post comment
It took months for vendors to actually fix problems. So some white/grey hats just got tired and decided to rapidly publish exploit code.
What motivation does a vendor have to fix code quickly? If it's not out in the public, then there is little to no motivation.
Just the report of a possible exploit will make black hats find the hole and create exploit code themselves, if they already hadn't found the problem first. So who benefits by allowing a vendor too much time to fix a problem?
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/articles/7511/23845#23845