Re: Towards a responsible vulnerability process

From: Geo. (georger@NLS.NET)
Date: 11/04/01 

Message-ID:  <002001c16557$6b3f5f80$0a1a90d8@ntauthority>
Date:         Sun, 4 Nov 2001 12:37:09 -0500
From: "Geo." <georger@NLS.NET>
Subject:      Re: Towards a responsible vulnerability process
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

> how we can encourage vendors to make better products, get fixes created
and
> applied, and do so without encouraging what amounts to network terrorism.
> That's the goal. Let's try and find ways to get there.

You make some good points David but there is something you ignore as well.
The whole antivirus community is built on the idea of providing additional
software at an additional cost when the real solution should have been to
patch the base products that allow virus and worm propagation.

The perfect example of this is codered, the antivirus community considers it
a worm that they protect people against but the real solution is to patch
the OS and www server. Without the details of how this worm spread, the
user/admin community would have been more than willing to accept that it was
a virus and therefore the responsibility of the AV community to protect us
at an additional cost instead of Microsoft's responsibility to issue free
patches for their secure product.

 I have no desire to see security become an additional cost industry when in
reality it is the vendors responsibility to provide the secure products they
claim to be supplying. Making the exploit information available only to the
select club of paid security professionals will allow this group to charge
us for what should be being provided free of charge much like the AV vendors
do.

The real question we should be asking is how can this information be made
public in full detail and in a timely yet responsible manner, not how we can
prevent people from finding out the details.

Geo.

Relevant Pages
Quantcast