, SecurityFocus 2003-11-23
Security pros gathering at a Stanford University Law School conference on responsible vulnerability disclosure Saturday harmonized on the principle that vendors should be privately notified of holes in their products, and given at least some time to produce a patch before any public disclosure is made. But there was pronounced disagreement on the question of whether or not researchers should publicly release proof-of-concept code to demonstrate a vulnerability.
Expand all |
Post comment
I've recently gone through a similar situation. I found a minor security flaw on a product of a certain big company (I prefer to not expose them right now because they are still in process of fixing it) and they've been very nice with me.
They not only asked me further information about the program I had developed to attack this product in question, but also sent me the first patch to test it, even without releasing it publicly.
I know that some companies don't give a sh** when they receive emails describing problems on their products, but I believe it's just a matter of "how to talk to them", because they certainly know the importance of this "independent" help ( at least I believe so ... )
Rodrigo Otavio Paes de Barros Otaviano
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/articles/7511/23870#23870