, SecurityFocus 2003-11-23
Security pros gathering at a Stanford University Law School conference on responsible vulnerability disclosure Saturday harmonized on the principle that vendors should be privately notified of holes in their products, and given at least some time to produce a patch before any public disclosure is made. But there was pronounced disagreement on the question of whether or not researchers should publicly release proof-of-concept code to demonstrate a vulnerability.
Expand all |
Post comment
Basically there are no good options on releasing proof of concept, because even with crippled code, exploits are hitting hacker sites within 24-48 hours anyway, unless the code is so severely crippled that nobody could make sense of it anyway, (making it obviously useless) Doesn't matter if the exploit is in raw code or compiled for people to get, compiled copies are extremely easy for script kiddies to get.
This thought of companies wanting to fix security holes themselves is a great thought, but they don't until their software is threatened.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/articles/7511/24014#24014