, SecurityFocus 2003-11-23
Security pros gathering at a Stanford University Law School conference on responsible vulnerability disclosure Saturday harmonized on the principle that vendors should be privately notified of holes in their products, and given at least some time to produce a patch before any public disclosure is made. But there was pronounced disagreement on the question of whether or not researchers should publicly release proof-of-concept code to demonstrate a vulnerability.
Expand all |
Post comment
I personally used exploit code to verify that MS thin clients were also vulnerable to blaster. This was previously unpublished and the information was never added to the MS advisory.
What are we supposed to do to keep the companies "honest" if we do not have the tools to do so?
I understand not putting out a compiled version for the script kiddies, but the code is highly useful for skilled professionals.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/articles/7511/23853#23853