, SecurityFocus 2003-11-23
Security pros gathering at a Stanford University Law School conference on responsible vulnerability disclosure Saturday harmonized on the principle that vendors should be privately notified of holes in their products, and given at least some time to produce a patch before any public disclosure is made. But there was pronounced disagreement on the question of whether or not researchers should publicly release proof-of-concept code to demonstrate a vulnerability.
Expand all |
Post comment
Then people started releasing the actual exploit code, and all of a sudden Microsoft and other vendor's started fixing these 'only theoretical' issues with their products.
All you have to do is have a little history in this field to know that restricting the data and making it illegal to have the tools to do your jobs (as security professionals if you are one) is definetly not the right place to be.
Does it annoy me when someone rleases exploit code to a system I'm currently tasked to protect? YES. But without that exploit code my hands are tied in actually protecting that system. It annoys me because now I have to do my job as a security professional.
Only those so-called security professionals who believe that their job is to continuously state 'there is no known patch, so I can't help you' 'my hands are tied the vendor hasn't told me how to protect you' are the ones that are pushing for this type of legislation.
As it appears on the previous comments posted to this dicussion here, those few security professionals who have some professional integrity take exploit codes and present mitigation if not a prevention methodology to the companies that they are hired to protect quicker then the vendor ever could.
Just my less then 2 cents on this subject that I've repeated over and over again each time this 'stick your head in the sand and hope the bad guy passes over me' methodology is proposed.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/articles/7511/24007#24007