Re: Scanners and unpublished vulnerabilities - Full Disclosure

From: Pierre Vandevenne (pierre@datarescue.com)
Date: 05/29/02

• Previous message: E: "[Fwd: Scanners and unpublished vulnerabilities - Full Disclosure]"
• In reply to: Alfred Huger: "Scanners and unpublished vulnerabilities - Full Disclosure"
• Next in thread: Drew: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 29 May 2002 00:02:59 +0200
From: Pierre Vandevenne <pierre@datarescue.com>
To: pen-test@securityfocus.com

Hello Alfred,

AH> conversations on-list about full-disclosure. I'm of the opinion it's a
AH> religious discussion with little or no merit for debate given that people

<humour>
Religious ??? Full disclosure is public nudism. Non-disclosure usually
ends up in strip-tease for a happy few.
</humour>

AH> In brief they are now unloading limited details to the public about
AH> vulnerabilities they have notified vendors about.

One week may be, in some cases, to short to expect a reliable fix.
Pushing vendors could lead to fixes that are buggier than what they
fix, or break other things. But yes, this is an understandable middle
ground and they address a real problem.

AH> the Pen-testing community is that these vulnerabilities which are in the
AH> process (presumably) of being fixed are actively being coded into the
AH> Typhon II Vulnerability Assessment Scanner from NGSSoftware. This

Fair enough. They have a competitive advantage. They deserve it. Which
other company would sit on a competitive advantage and not use it ?
If they were telling us they are not using their knowledge, would we
believe them ? Would we trust them ?

-- 
Best regards,
 Pierre                            mailto:pierre@datarescue.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

---

• Previous message: E: "[Fwd: Scanners and unpublished vulnerabilities - Full Disclosure]"
• In reply to: Alfred Huger: "Scanners and unpublished vulnerabilities - Full Disclosure"
• Next in thread: Drew: "Re: Scanners and unpublished vulnerabilities - Full Disclosure"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Cross Site Scripting Vulnerabilities - XSS ... Cross Site Scripting Vulnerabilities - XSS ... >>> This list is provided by the SecurityFocus Security Intelligence ... For more information on SecurityFocus' SIA service which ... (Pen-Test) Re:One Big Review, One Small Script? ... >This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... >automatically alerts you to the latest security vulnerabilities please see: ... (Pen-Test) MDAC/ IIS / Shell Code Goodies ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... automatically alerts you to the latest security vulnerabilities please see: ... (Pen-Test) RE: Vulnebrability level definition ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... automatically alerts you to the latest security vulnerabilities please see: ... (Pen-Test) Re: Need Novell vuln. scanner ASAP! ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... automatically alerts you to the latest security vulnerabilities please see: ... (Pen-Test)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)