Re: [Full-disclosure] Publishing exploit code - what is it good for
From: Anders B Jansson (hdw_at_kallisti.se)
Date: Thu, 30 Jun 2005 14:53:56 +0200 To: firstname.lastname@example.org
The discussion is only theoretical and of no business importance.
Exploits are disclosed, that's a fact that I as security manager have to
live and work with.
If this disclosure is good or bad is totally irrelevant.
Anyone who discovers an exploitable weakness, informs the supplier and
then shuts up for months and months is fooled by his/her own ego.
There's nothing that says the he/she/it is the only one who has
discovered this flaw, actually, there's good reason to believe that it's
already known by black hats.
Give developers a chance to react? Yes.
If they don't react? Publish.
Aviram Jenik wrote:
> I recently had a discussion about the concept of full disclosure with one of
> the top security analysts in a well-known analyst firm. Their claim was that
> companies that release exploit code (like us, but this is also relevant for
> bugtraq, full disclosure, and several security research firms) put users at
> risks while those at risk gain nothing from the release of the exploit.
> I tried the regular 'full disclosure advocacy' bit, but the analyst remained
> reluctant. Their claim was that based on their own work experience, a
> security administrator does not have a need for the exploit code itself, and
> the vendor information is enough. The analyst was willing to reconsider their
> position if an end-user came forward and talked to them about their own
> benefit of public exploit codes. Quote: " If I speak to an end-user
> organization and they express legitimate needs for exploit code, then I'll
> change my opinion."
> Help me out here. Full disclosure is important for me, as I'm sure it is for
> most of the people on these two lists. If you're an end-user organization and
> are willing to talk to this analyst and explain your view (pro-FD, I hope),
> drop me a note and I'll put you in direct contact.
> Please note: I don't need any arguments pro or against full disclosure; all
> this has been discussed in the past. I also don't need you to tell me about
> someone else or some other project (e.g. nessus, snort) that utilizes these
> exploits. Tried that. Didn't work.
> What I need is a security administrator, CSO, IT manager or sys admin that can
> explain why they find public exploits are good for THEIR organizations. Maybe
> we can start changing public opinion with regards to full disclosure, and
> hopefully start with this opinion leader.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/