, 2006-03-07
There is value in finding vulnerabilities. Yet many people believe that a vulnerability doesn't exist until it is disclosed to the public. We know that vulnerabilities need to be disclosed, but what role do vendors have to make these issues public?
Expand all |
Post comment
The value of vulnerabilities
2006-03-08
Omar A. Herrera (2 replies)
Omar A. Herrera (2 replies)
Re:Good Points
2006-03-08
R_U_Trustified (2 replies)
R_U_Trustified (2 replies)
Re: Re:Good Points
2006-03-09
Matthew Murphy (1 replies)
Matthew Murphy (1 replies)
Re: Re: Re:Good Points
2006-03-14
Robert E. Lee (1 replies)
Robert E. Lee (1 replies)
Sometimes the only workaround is to disable public access to the service or software that is vulnerable. According to our customers of third-party products, that is a better option than operating blindly unaware of the vulnerability.
They believe that vulnerability information should flow freely directly from the researcher to the end users without delay. It's ok to share the information with the vendor of the software at the same time as notifying the end-users, but remember it's up to the end user to make changes, and they can't do that without the proper information.
Too many people make the mistake of assuming that the researcher is the first or only one to find the vulnerability. Waiting for vendor approved workarounds before public disclosure of vulnerabilities makes everyone more at risk.
Robert E. Lee
Dyad Security
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/391/33312#33312