, 2006-03-07
There is value in finding vulnerabilities. Yet many people believe that a vulnerability doesn't exist until it is disclosed to the public. We know that vulnerabilities need to be disclosed, but what role do vendors have to make these issues public?
Expand all |
Post comment
The value of vulnerabilities
2006-03-08
Omar A. Herrera (2 replies)
Omar A. Herrera (2 replies)
Re:Good Points
2006-03-08
R_U_Trustified (2 replies)
R_U_Trustified (2 replies)
Re: Re:Good Points
2006-03-09
Matthew Murphy (1 replies)
Matthew Murphy (1 replies)
Re: Re: Re:Good Points
2006-03-14
Robert E. Lee (1 replies)
Robert E. Lee (1 replies)
End users of publicly available applications are telling us that they want to be notified at the same time as vendors. If they are using vulnerable software, they would rather know their risks than be in the dark. That's why they are paying money to be part of vulnerability notification services.
The only people I've seen to vocally advocate "responsible disclosure" are either employees of corporations who publish software, or passive observers who don't do security research. This dialog should really be between the active participants; the end-users and the researchers. Everyone else in irrelevant.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/391/33270#33270