Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities
From: Ernst Lopes Cardozo (e.lopes.cardozo_at_ARANEA.NL)
Date: 10/08/04
- Previous message: Russ: "Disclosure Debate - yet again"
- Maybe in reply to: Jason Coombs PivX Solutions: "Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 8 Oct 2004 22:06:23 +0200 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Argh! What next, if "long and detailed explanations" are held against us by
someone signing with "science.org"? If someone's conscience requires him to
deny his fellows vacation nor sleep, requires them to be ready to catch any
ball so craftfuly thrown out of his pit?
Let me -briefly- rationalize, if that's still permitted:
- we want to plug the holes before the bad guys exploit them
- so we need the time to apply patches in a responsible way
- even the guys tending 10.000 machines
- even the innocent home users, since their lapses hurt us all
- so we need the patches and the patching vehicles
- so the vendors need time to create and test these
- since patches are hard to distributed without disclosing something about
the vulnerability, there WILL be partial disclosure at that time; but there
is really, really no need to be too specific at that point; there still is a
lot of work to do.
It makes perfect sense to:
1. disclose to the vendor and monitor his progress 2. if the vendor responds
positively, disclose your claim when the patches come out 3. disclose the
details (which may advance the science) by the time the immunization has
progressed sufficiently to preclude major damage.
4. if and only if an exploit surfaces, full disclosure is warranted to allow
each of us a fair chance to fend it off. At that point it is every man for
himself.
I won't claim to present science, but please do forward your arguments, as
long and detailed as you see fit.
Ernst Lopes Cardozo
Jason Coombs of PivX Solutions wrote:
(...)
That such long and detailed explanations rationalizing, defending, and
disputing disclosure policies, and correcting innacurate allegations
concerning one's disclosure practices of the past, are necessary at all is
proof that there are only two options: black or white.
(...)
If somebody of technical skill who has chosen disclosure decides that the
circumstances warrant immediate full disclosure with proof of concept, then
that is the action that must be taken. To do otherwise would be to go
against one's own conscience, the core of which is already proved 'good' by
the fact of the decision to disclose.
(...)
Jason Coombs
jasonc@science.org
-- NTBugtraq Editor's Note: Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field. --
- Previous message: Russ: "Disclosure Debate - yet again"
- Maybe in reply to: Jason Coombs PivX Solutions: "Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
