, SecurityFocus 2003-11-23
Security pros gathering at a Stanford University Law School conference on responsible vulnerability disclosure Saturday harmonized on the principle that vendors should be privately notified of holes in their products, and given at least some time to produce a patch before any public disclosure is made. But there was pronounced disagreement on the question of whether or not researchers should publicly release proof-of-concept code to demonstrate a vulnerability.
Expand all |
Post comment
OK, I have to agree with the folks that have stated that having exploit code out in the wild 'forces' vendors that would otherwise turn a blind eye on the situation.
WE DO NOT HAVE A PROBLEM. Now it is up to us the users to show our vendor YES we do have a problem. However, ban the publishing of exploit code or make it illegal to do so (world wide that would be kind of hard) would make it difficult if not impossible for us to come up with this proof. What is next, us showing proof of concept to a vendor that their system is flawed? Being banned or made illegal?
OK, one more step WORLD GRID (TCPA??) I have spoken with some folks that think that TCPA could be the start of a world grid based on the level of a PC. I agree with the arguments they use, at least to a point. I also have to agree with Mr. Radvanovksy. OK so I will join his conspiracy theory band wagon that this is all staged, and take it to the level of including the governments. Why not? What better way to get public outcry, and support. Once you get the public demanding the safety and you give it to them you can now have a subtle control over them. They turned it over without really knowing that they have. Slowly we have had new controls placed on us at times demanding them, only later to say WE DO NOT WANT THIS!!!
Just my thoughts at this moment.
--Leif Ericksen
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/articles/7511/23846#23846