Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities

• Previous message: Andrew Aronoff: "Re: CWS = Crummy Windows Security"
• Next in thread: Tim Johnson: "Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities"
• Maybe reply: Tim Johnson: "Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities"
• Maybe reply: Martin Viktora: "Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities"
• Maybe reply: David Kennedy CISSP: "Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities"
• Maybe reply: Ernst Lopes Cardozo: "Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Fri, 8 Oct 2004 00:00:00 GMT
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Drew Copley wrote:
> ... ... ... ... ... ..., and, ... ... ...

Drew,

That such long and detailed explanations rationalizing, defending, and disputing disclosure policies, and correcting innacurate allegations concerning one's disclosure practices of the past, are necessary at all is proof that there are only two options: black or white.

There are no gray areas when it comes to disclosure. Disclosure is something that good people do. Non-disclosure is something that bad people do. Be careful with asserting that there are lines somewhere in a gray area over which people should not step, for any such line is going to be a moving target, at best, and move right on past you while you are standing still, at worst, creating a condition where your own disclosures appear to have been malicious when viewed in retrospect.

To disclose, or not to disclose. That is the question.

If somebody of technical skill who has chosen disclosure decides that the circumstances warrant immediate full disclosure with proof of concept, then that is the action that must be taken. To do otherwise would be to go against one's own conscience, the core of which is already proved 'good' by the fact of the decision to disclose.

The longer one chooses non-disclosure, and the more willfully one does so, the less 'good' that disclosure appears - particularly after considering all of the technical truths about information security research and reverse engineering that you so carefully and corectly articulated.

Immediate full disclosure that cannot be disputed and leaves no room for debate immediately helps anyone who chooses to receive and consider the disclosure. Everything else serves only to delay and obscure that clear and urgent security alert communique, increasing the window of exposure and the Total Risk of Ownership needlessly.

Sincerely,

Jason Coombs
jasonc@science.org

--
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
--

• Previous message: Andrew Aronoff: "Re: CWS = Crummy Windows Security"
• Next in thread: Tim Johnson: "Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities"
• Maybe reply: Tim Johnson: "Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities"
• Maybe reply: Martin Viktora: "Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities"
• Maybe reply: David Kennedy CISSP: "Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities"
• Maybe reply: Ernst Lopes Cardozo: "Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]