Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
The value of vulnerabilities
Jason Miller, 2006-03-07

There is value in finding vulnerabilities. Yet many people believe that a vulnerability doesn't exist until it is disclosed to the public. We know that vulnerabilities need to be disclosed, but what role do vendors have to make these issues public?

Comments Mode:
The value of vulnerabilities 2006-03-07
Anonymous (4 replies)
Re: The value of vulnerabilities 2006-03-08
infamous41md
Re: The value of vulnerabilities 2006-03-08
Anonymous
Re: The value of vulnerabilities 2006-03-08
Dancho Danchev
Re: The value of vulnerabilities 2006-03-17
Anonymous
Another viewpoint - The value of vulnerabilities 2006-03-08
Robert E. Lee
The value of vulnerabilities 2006-03-08
Matthew Murphy (1 replies)
Re: The value of vulnerabilities 2006-03-13
John Smith
The value of vulnerabilities 2006-03-08
Anonymous (1 replies)
Re: The value of vulnerabilities 2006-03-13
hi2005
The value of vulnerabilities 2006-03-08
Omar A. Herrera (2 replies)
Re:Good Points 2006-03-08
R_U_Trustified (2 replies)
Re: Re:Good Points 2006-03-09
infamous41md
Re: Re:Good Points 2006-03-09
Matthew Murphy (1 replies)
Re: Re: Re:Good Points 2006-03-14
Robert E. Lee (1 replies)
Re: Re: Re: Re:Good Points 2006-03-15
Matthew Murphy (1 replies)
Re: Re: Re: Re: Re:Good Points 2006-03-17
Anonymous
Re: The value of vulnerabilities 2006-03-13
hi2005
The value of vulnerabilities 2006-03-10
Max (1 replies)
Well I think both the vendor and the researcher are partly at fault. In a circumstance, this happens alot it seems, where the vendor is contacted by the researcher about a new vulnerability and exploit, and the vendor does nothing at all...the researchers best next move is to make the vulnerability public to the general public, that way atleast people that look on sites like securityfocus, and other vulnerability databases etc, will have a heads up...and then of course the not security minded people are pretty screwed, but regardless...the general public should get some info on a vulnerability before you just let the exploit go flying around on the internet, its not the users fault that the vendor made the software insecure.

basically what i'm saying is, add a couple extra steps to notify the users and the public about the problem before you publish code and allow users that have no idea there is a vulnerability, to get owned.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/391/33297#33297
Re: The value of vulnerabilities 2006-03-14
Robert E. Lee
Responsible disclosure 2006-03-13
Anonymous (1 replies)
Re: Responsible disclosure 2006-03-14
Robert E. Lee
The value of vulnerabilities 2006-03-16
C. Winchester
What Value? 2006-03-17
Anonymous (2 replies)
Re: What Value? 2006-03-20
infamous41md
Re: What Value? 2006-03-28
Anonymous







 

Privacy Statement
Copyright 2009, SecurityFocus