, 2006-03-07
There is value in finding vulnerabilities. Yet many people believe that a vulnerability doesn't exist until it is disclosed to the public. We know that vulnerabilities need to be disclosed, but what role do vendors have to make these issues public?
Expand all |
Post comment
The value of vulnerabilities
2006-03-08
Omar A. Herrera (2 replies)
Omar A. Herrera (2 replies)
Re:Good Points
2006-03-08
R_U_Trustified (2 replies)
R_U_Trustified (2 replies)
Re: Re:Good Points
2006-03-09
Matthew Murphy (1 replies)
Matthew Murphy (1 replies)
Re: Re: Re:Good Points
2006-03-14
Robert E. Lee (1 replies)
Robert E. Lee (1 replies)
I almost agree with this, but I wish Jason had said that most people also haven't a clue what to do about vulnerabilities.
I'd submit that to be truly a responsible disclosure, no vulnerability should be released to the entire public without a workaround included. If there is no workaround, and no exploit, then is disclosure really necessary other than to force the vendor to act? A number of security companies provide workarounds, but a number of software vendors do not, e.g., they just issue a new version. I do agree with the comments that the researchers that discover the vulnerabilities should be well and promptly paid for their efforts. (I am not one of them, BTW)
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/391/33309#33309