Re: Scanners and unpublished vulnerabilities - Full Disclosure

From: Drew (simonis@myself.com)
Date: 05/28/02 

Date: Tue, 28 May 2002 15:42:00 -0400
From: Drew <simonis@myself.com>
To: pen-test@securityfocus.com

Alfred Huger wrote:
>
> Heya all,
>
> Most of you who are long time users of this list know I tend to avoid
> conversations on-list about full-disclosure. I'm of the opinion it's a
> religious discussion with little or no merit for debate given that people
> are unlikely to move from their current position.
>
> Having said this every now and then something does occur within our
> industry to spur discussion. In this case I came across something which
> directly impacts the Pen-Testing arena and I would like to throw it out
> for open discussion. The event in question is a new Vendor Notification
> Alert Scheme the folks over at NGSSoftware announced yesterday. The
> announcement can (and should be) read at:
>
> http://www.nextgenss.com/news/vna.html
>

Seems to me like a thinly vieled marketing announcment. Worked, too.

I don't notice anything _too_ radically seperated from well known
vulnerability disclosure methods, with the singular exception that
they do not make accomodations for a responsive vendor who has not
yet released a patch, which is on contrast to the RFPolicy, a well
known disclosure roadmap, and the referenced Christey-Wysopal policy.

I read it as "Buy our scanner and you'll have access to vulnerabilities
others don't yet have".

-Ds

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • RE: Laboratory Setup Help (RS)
    ... >> This list is provided by the SecurityFocus Security ... For more information on SecurityFocus' SIA service which ... >> vulnerabilities please see: ... >This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Scanners and unpublished vulnerabilities - Full Disclosure
    ... I'm of the opinion it's a ... Alert Scheme the folks over at NGSSoftware announced yesterday. ... vulnerabilities they have notified vendors about. ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • RE: Cross Site Scripting Vulnerabilities - XSS
    ... Cross Site Scripting Vulnerabilities - XSS ... >> This list is provided by the SecurityFocus Security Intelligence ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • Re: Cross Site Scripting Vulnerabilities - XSS
    ... Cross Site Scripting Vulnerabilities - XSS ... >>> This list is provided by the SecurityFocus Security Intelligence ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
  • RE: Vulnebrability level definition
    ... 'severity' of a given vulnerability, and this severity can change with time. ... different methodologies to rate vulnerabilities and present the associated ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)