Re: Vendor notification
From: Barrie Dempster (barrie_at_reboot-robot.net)
Date: 03/31/05
- Previous message: Fergie (Paul Ferguson): "Re: Vendor notification"
- In reply to: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Vendor notification"
- Next in thread: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Vendor notification"
- Reply: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Vendor notification"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 31 Mar 2005 13:57:49 +0100 To: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
<snip>
> I'm talking about informing about 'bad stuff in the wild' to help the
> vendor know that we are all protected for this stuff.
>
<snip>
If every such incident was reported to the vendor they would be flooded
with absolute garbage all day. How many times do we see "is this a new
virus?" and other such questions where the poster hasn't done any basic
research or verification at all.
I think it's important to ask "do you see this too?" on the appropriate
forum, then when you have some verification and discussion you can pass
the info on to the vendor if it seems prudent. However most vendors are
reading the appropriate forums for thier products and become aware very
quickly of any possible issues. When it comes to discussing and
disclosing any new security problems, the most important people in the
equation are the *users* not the vendors. I agree though that in many
cases you would want direct vendor notification, but unless it's
something they can fix directly - ie.. patchable - then let the users
know first, so that they can setup IDS/IPS rules, configure firewalls or
monitor for traffic patterns.
Your example was an exploit existing for an already determined
vulnerability, in this case I don't think the vendor needs to care about
it at all, the presence or lack of an exploit should have no bearing on
their time to patch release. If it's a security vulnerability then the
patch should be released as soon as reasonably possible. If the patch is
already released and the exploit appears, then the vendor doesn't have
to know or care, the user however might want to monitor this for their
own research/defense.
Basically this boils down to....
Find it, discuss it with peers, if the vendor can fix it notify them.
-- With Regards.. Barrie Dempster (zeedo) - Fortiter et Strenue blog: http://zeedo.blogspot.com site: http://www.bsrf.org.uk CA: www.cacert.org "He who hingeth aboot, getteth hee-haw" - Victor (Still Game)
- application/x-pkcs7-signature attachment: S/MIME Cryptographic Signature
- Previous message: Fergie (Paul Ferguson): "Re: Vendor notification"
- In reply to: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Vendor notification"
- Next in thread: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Vendor notification"
- Reply: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Vendor notification"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
