Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Irresponsible Disclosure
Jon Lasser, 2002-06-26

Internet Security Systems violated community standards and common sense with its surprise Apache bug announcement.

Comments Mode:
Irresponsible Disclosure 2002-06-26
Anonymous (1 replies)
Irresponsible Disclosure 2002-06-28
Anonymous
Irresponsible Disclosure 2002-06-26
joe90@hushmail.com
Irresponsible Disclosure 2002-06-27
Please please please get a new UNIX writer! (7 replies)
Are you working for ISS ? 2002-06-27
nimp
Irresponsible Disclosure 2002-06-27
Anonymous
Re: Replace him! he disagrees with me and I know it all! 2002-06-27
epizz@ba.net (1 replies)
Re: Replace him! he disagrees with me and I know it all! 2002-06-28
Anonymous
Irresponsible Disclosure 2002-06-27
Anonymous
Anon poster is an "Irresponsible Disclosure" 2002-06-27
Anonymous
Irresponsible Disclosure 2002-06-29
Tired of loud mouth open source freaks (1 replies)
Irresponsible Disclosure - TO "Tired of loud-mouth open source freaks" 2002-07-01
Anonymous
Irresponsible Disclosure 2002-06-29
Anonymous
Damned if you do, damned if you don't 2002-06-27
TL (1 replies)
Damned if you do (irresponsibly), damned if you don't (ever) 2002-06-28
Tor Slettnes
I disagree - companies _can_ get this right. That's what Jon Lasser is talking about - guidelines for responsible release of vulnerability information.

If a vulnerability is found for the first time by a "white hat", the responsible thing for her (or him) to do is to inform the vendor of the software, then give them a reasonable time to solve the problem before going public. As Jon said, this is especially true if a lot of people depend on the software, and no known exploit exists for the vulnerability.

As an alternative, go public saying that "there is a problem in XXX software; we have notified the vendor". That way, people that don't depend on the software have the option of removing it from their system, or otherwise protect themselves. Theo de Radt handled the OpenSSH issue well this way.

Provide patches to them if you like. But don't assume that you know what it takes to write secure code, and release it on your own. That's not only arrogant, that's stupid. The vendor usually knows better.



[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/91/13327#13327
Irresponsible Disclosure 2002-06-27
Anonymous
The shoe is on the other foot 2002-06-27
Anonymous (10 replies)
The shoe is on the other foot..but just barely. 2002-06-27
K.M. Ellis
The shoe is on the other foot 2002-06-27
Brian
The shoe is on the other foot 2002-06-27
Anonymous
The shoe is on the other foot 2002-06-28
Anonymous
Are you working for Microsoft ? 2002-06-28
no 6
The shoe is on the other foot 2002-06-28
Anonymous
The shoe is on the other foot 2002-06-29
Anonymous
The shoe is on the other foot 2002-06-29
Anonymous
The shoe is on the other foot 2002-06-29
pseudoAnonymous
...but where should the foot be put? 2002-07-02
Andy Wood
Penalties 2002-06-27
Anonymous
Irresponsible Disclosure 2002-06-28
System Engineer in UK
Irresponsible Disclosure 2002-06-28
Anonymous
Irresponsible Disclosure -- CYA 2002-06-28
Anonymous
hehehe ! apachi is next victim 2002-06-29
ICMP_Z@yahoo.com (1 replies)
hehehe ! apachi is next victim 2002-07-01
Anonymous
what i think about ms... 2002-07-03
Lysergsäurediethylamid







 

Privacy Statement
Copyright 2009, SecurityFocus