Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Exploit Code on Trial
Kevin Poulsen, SecurityFocus 2003-11-23

Security pros gathering at a Stanford University Law School conference on responsible vulnerability disclosure Saturday harmonized on the principle that vendors should be privately notified of holes in their products, and given at least some time to produce a patch before any public disclosure is made. But there was pronounced disagreement on the question of whether or not researchers should publicly release proof-of-concept code to demonstrate a vulnerability.

Comments Mode:
Exploit Code on Trial 2003-11-24
Anonymous
Screw the vendors 2003-11-24
Anonymous (2 replies)
Screw the vendors 2003-11-25
Rodrigo Otaviano <rodrigo (at) otaviano (dot) com [email concealed]>
Screw the vendors? Screw the users at the same time. 2003-12-02
Alun Jones
Exploit Code on Trial 2003-11-24
Bob Radvanovsky
Exploit Code on Trial 2003-11-24
Anonymous
Exploit Code on Trial 2003-11-24
TW
Private first, then public, THEN publish exploit 2003-11-24
Anonymous (1 replies)
Private first, then public, THEN publish exploit 2003-11-25
Anonymous
Exploit Code on Trial 2003-11-25
Leif Ericksen
Exploit Code on Trial - final word 2003-11-25
Anonymous (1 replies)
Exploit Code on Trial - final word 2003-11-25
Anonymous
Exploit Code on Trial 2003-11-25
Camel
Loss of money 2003-11-29
bl0rf
Exploit Code on Trial 2003-12-02
Anonymous
The moment somebody releases an advisory that particular product has a flaw at whatever service (RPC exploit) the whole internet community concentrates to find the flaw. A significant portion of the bug hunting is to know where to look for. In any advisory (no code yet) the researchers release enough information, so other would start looking and shortly after somebody will find it. In order for this to work, there should be no advisory and no code released to the public until the issue is resolved. Publishing only an advisory and no code and details doesn't really help the sysadmin, it stimulates people to find the flaw, write and publush the code as soon as possible. It's like a racing game. No advisory, no code = nothing really happened, until when the patch is released along with the proof of concept code and full advisory.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/7511/23996#23996
Exploit Code on Trial 2003-12-02
Anonymous
Good on paper....bad in reality. 2003-12-03
MA







 

Privacy Statement
Copyright 2009, SecurityFocus