, 2006-03-07
There is value in finding vulnerabilities. Yet many people believe that a vulnerability doesn't exist until it is disclosed to the public. We know that vulnerabilities need to be disclosed, but what role do vendors have to make these issues public?
Expand all |
Post comment
The value of vulnerabilities
2006-03-08
Omar A. Herrera (2 replies)
Omar A. Herrera (2 replies)
Re:Good Points
2006-03-08
R_U_Trustified (2 replies)
R_U_Trustified (2 replies)
Re: Re:Good Points
2006-03-09
Matthew Murphy (1 replies)
Matthew Murphy (1 replies)
Re: Re: Re:Good Points
2006-03-14
Robert E. Lee (1 replies)
Robert E. Lee (1 replies)
a) not downplaying the significance of flaws
b) disclosing flaws to a public forum and making their users aware of them
c) working with researchers to fix the flaws since many vendor attempts at fixes seem rather inept
From my experience (which is very limited, only a couple of years), most vendors will do all three of these. However, you have an unhealthy % of vendors who don't. A researcher gets sick of these people pretty quickly, especially if you're spending your free time auditing their code. After a few encounters with such vendors, a researcher may develop the following strategy:
If I find 5 vulnerabilities in the code, I'll let the vendor know about 2 of them. If they respond properly, I'll then share the rest with them and offer as much as help as I possibly can to help fix these problems. However, if they act like unappreciative stubborn mules, I'll happily keep the rest of my findings private and let their users continue to be owned. Or if a vendor just completely ignores a researcher's multiple requests to contact them, you wind up with 0day disclosure, or none at all.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/391/33271#33271