Re: [Full-disclosure] Our Industry Is Seriously Ethics Impaired

From: J u a n (perfectirijillo_at_gmail.com)
Date: 07/27/05

  • Next message: phased: "Re[2]: [Full-disclosure] Our Industry Is Seriously Ethics Impaired"
    Date: Wed, 27 Jul 2005 10:42:21 -0300
    To: Adam Jones <ajones1@gmail.com>
    
    

    But who's to say who is malicious and who's not?
    Besides this is Full Disclosure, and we believe in it.

    On 7/27/05, Adam Jones <ajones1@gmail.com> wrote:
    > What exactly is wrong with this? I personally would rather have 3com
    > buying up exploits (probably under an agreement for exclusive access)
    > instead of having them sold to the highest, probably malicious,
    > bidder. Even if someone sells it to both there is a more reputable
    > group that has the exploit and can help with mitigation.
    >
    > - Adam
    > On 7/26/05, J.A. Terranson <measl@mfn.org> wrote:
    > >
    > > Yet another voice baying at the moon.
    > >
    > > --
    > > Yours,
    > >
    > > J.A. Terranson
    > > sysadmin@mfn.org
    > > 0xBD4A95BF
    > >
    > >
    > > "A stock broker is someone who handles your money until its all gone."
    > > Diana Hubbard (of Scientology fame)
    > >
    > > -----------------------------------------------------------------------
    > >
    > > http://informationweek.com/story/showArticle.jhtml?articleID=166402192
    > >
    > > 3Com Rewards 'Responsible' Disclosure Of Security Flaws July 25, 2005
    > > EMAIL THIS ARTICLE
    > > PRINT THIS ARTICLE
    > > DISCUSS THIS ARTICLE WRITE TO AN EDITOR
    > >
    > >
    > >
    > > The company is planning to reward security researchers who reveal
    > > information on newly discovered vulnerabilities.
    > > By John Walko
    > > EE Times
    > >
    > >
    > >
    > > LONDON . Data networking group 3Com is planning to reward security
    > > researchers who reveal information on newly discovered vulnerabilities as
    > > part of an initiative run by its TippingPoint division.
    > >
    > > The so called .Zero Day Initiative. is aimed at ensuring the 'responsible'
    > > disclosure of security flaws in order to make technology more secure for
    > > all users. The goal is to proactively protect businesses against newly
    > > discovered vulnerabilities.
    > >
    > > According to 3Com, many security researchers want to be recognized for
    > > their discovery, but they don't always achieve that in a responsible
    > > manner. Instead, and all too often, they post the potentially harmful
    > > information publicly, catching businesses and vendors off-guard and
    > > unprotected.
    > >
    > > The initiative will recognize researchers for the discovery when the
    > > vulnerability is publicly disclosed with the vendor's patch.
    > >
    > > 3Com will notify affected vendors of security flaws so they can
    > > immediately begin working on a solution, most often in the form of a
    > > patch. The vulnerabilities will only be disclosed publicly once the
    > > affected vendor is able to offer a solution to end users, mitigating the
    > > threat.
    > >
    > > Providing pre-emptive protection will be done through 3Com subsidiary
    > > TippingPoint.s Digital Vaccine service.
    > >
    > > The company stressed it would share vulnerability details freely with
    > > other security vendors prior to public disclosure.
    > >
    > > 3Com CTO Marc Willebeek-LeMair said the initiative would ultimately
    > > benefit everyone in the industry: security and technology vendors,
    > > security researchers and end users.
    > >
    > > Vulnerabilities enable attackers to gain control of a system for malicious
    > > purposes. They can also result in worms or Denial of Service attacks,
    > > which can bring down entire networks.
    > >
    > > Zero day disclosure occurs when the discoverer of the vulnerability
    > > discloses the flaw to the public without notifying the vendor, putting
    > > businesses at risk from the time of disclosure until the affected vendor
    > > issues a patch. It can take vendors weeks or months to supply a patch.
    > >
    > > David Endler, Director of Security Research for 3Com's TippingPoint
    > > division, said: "This program will extend our research organization even
    > > further, and enable us to tap some of the most brilliant minds in the
    > > global security research community..
    > >
    > > _______________________________________________
    > > Full-Disclosure - We believe in it.
    > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    > > Hosted and sponsored by Secunia - http://secunia.com/
    > >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    > Hosted and sponsored by Secunia - http://secunia.com/
    >
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: phased: "Re[2]: [Full-disclosure] Our Industry Is Seriously Ethics Impaired"

    Relevant Pages

    • [Full-Disclosure] its all about timing
      ... what the vendor does it with. ... >Why do people look for vulnerabilities? ... >- They publish vuln info to make themselves noticed ... Full Disclosure issue must take into account the ...
      (Full-Disclosure)
    • Re[2]: [Full-disclosure] Our Industry Is Seriously Ethics Impaired
      ... >> information on newly discovered vulnerabilities. ... >> affected vendor is able to offer a solution to end users, ... >> other security vendors prior to public disclosure. ...
      (Full-Disclosure)
    • [Full-Disclosure] its all about timing
      ... Why do people look for vulnerabilities? ... They publish vuln info because they have customers that pay (or ... Full Disclosure issue must take into account the ... report vulns primarily to the vendor, in the hope that the vendor will ...
      (Full-Disclosure)
    • Re: Vulnerabilities in Dunia Soccer
      ... disclosure approach for informing admins and web developers about ... But in this time I used responsible full disclosure. ... lists) of vulnerabilities in CaptchaSecurityImages (a captcha script which ... it's single site issue in custom made captcha. ...
      (Bugtraq)
    • Re: [Full-disclosure] Amazon, MSN vulns and.. Yes, we know! Most sites have vulnerabilities
      ... What I am worried about for the moment is milw0rm. ... vulnerabilities are web/php based but pwn3d is pwn3d. ... disclosure zero-day postings as I do on milw0rm. ... University of Pennsylvania Information Security ...
      (Full-Disclosure)