Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
The value of vulnerabilities
Jason Miller, 2006-03-07

There is value in finding vulnerabilities. Yet many people believe that a vulnerability doesn't exist until it is disclosed to the public. We know that vulnerabilities need to be disclosed, but what role do vendors have to make these issues public?

Comments Mode:
The value of vulnerabilities 2006-03-07
Anonymous (4 replies)
Re: The value of vulnerabilities 2006-03-08
infamous41md
Re: The value of vulnerabilities 2006-03-08
Anonymous
Re: The value of vulnerabilities 2006-03-08
Dancho Danchev
Re: The value of vulnerabilities 2006-03-17
Anonymous
Another viewpoint - The value of vulnerabilities 2006-03-08
Robert E. Lee
The value of vulnerabilities 2006-03-08
Matthew Murphy (1 replies)
Re: The value of vulnerabilities 2006-03-13
John Smith
The value of vulnerabilities 2006-03-08
Anonymous (1 replies)
Re: The value of vulnerabilities 2006-03-13
hi2005
The value of vulnerabilities 2006-03-08
Omar A. Herrera (2 replies)
Re:Good Points 2006-03-08
R_U_Trustified (2 replies)
Re: Re:Good Points 2006-03-09
infamous41md
Re: Re:Good Points 2006-03-09
Matthew Murphy (1 replies)
Re: Re: Re:Good Points 2006-03-14
Robert E. Lee (1 replies)
Re: Re: Re: Re:Good Points 2006-03-15
Matthew Murphy (1 replies)
Re: Re: Re: Re: Re:Good Points 2006-03-17
Anonymous
Re: The value of vulnerabilities 2006-03-13
hi2005
The value of vulnerabilities 2006-03-10
Max (1 replies)
Re: The value of vulnerabilities 2006-03-14
Robert E. Lee
Responsible disclosure 2006-03-13
Anonymous (1 replies)
Re: Responsible disclosure 2006-03-14
Robert E. Lee
The value of vulnerabilities 2006-03-16
C. Winchester
That is one of the most well-balanced articles on vulnerabilities that I have read in a long time. It is a balancing act but vendors are the source / cause of the vulnerabilities. While totally irresponsible disclosure practices on the part of the security "researcher" are worthy of bad press, vendors have to start owning up to the ultimate responsibility. Giving a vendor 2 days before "going public" is a pointless threat that hurts everybody. But giving a vendor 6 months is just as bad.

I agree that rewards are not a bad thing - maybe if vendors allowed their own internal testing staff (if they actually even have any?) to seek reward bonuses for finding vulnerabilities we'd have fewer found after the release of the software.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/391/33327#33327
What Value? 2006-03-17
Anonymous (2 replies)
Re: What Value? 2006-03-20
infamous41md
Re: What Value? 2006-03-28
Anonymous







 

Privacy Statement
Copyright 2009, SecurityFocus