, SecurityFocus 2003-11-23
Security pros gathering at a Stanford University Law School conference on responsible vulnerability disclosure Saturday harmonized on the principle that vendors should be privately notified of holes in their products, and given at least some time to produce a patch before any public disclosure is made. But there was pronounced disagreement on the question of whether or not researchers should publicly release proof-of-concept code to demonstrate a vulnerability.
Expand all |
Post comment
Though I see one agreement form Kevin?s article & other posting ?..
All will like to have access to new exploits & most don?t want to turn them into worms to bring down the internet ?. We all love it (internet)?.
White/Black hacker could follow a personnel code to
1 . release a new vulnerability to vendor & www.cert.org ?.. wait 30 days
2 . release vulnerability to public ?. wait 15 days
3. release the exploit
Similar to suggestion already discussed here? it will keep the pressure on vendors to provide the patch as they are under the deadline of 45 days when the exploit for vulnerability will be freely available.
It will keep the pressure on companies to apply the patches as they will see the clear deadline approaching when the exploit will be freely available.
Lastly, you will have script kiddes, having ball with networks that never gave a damm about patching their networks?.
(- -)
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/articles/7511/23847#23847