[41602] in bugtraq
oracle not only offeder - researchers NOT responsible?
daemon@ATHENA.MIT.EDU (Gadi Evron)
Mon Dec 12 16:55:33 2005
Message-ID: <439B751C.3010607@linuxbox.org>
Date: Sun, 11 Dec 2005 02:38:52 +0200
From: Gadi Evron <ge@linuxbox.org>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Cc: David Litchfield <davidl@ngssoftware.com>, funsec@linuxbox.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
The following is a very well researched text from Matthew Murphy's blog
discussing the matter of disclosing vulnerabilities to many vendors (and
specifically Microsoft). Further, as I understand it, he shows how
vendors today use terms such as "responsible disclosure" to scare
researchers and claim they are NOT responsible if they don't do it their
way.
While I certainly did not dispute the facts that David Litchfield showed
of Oracle's behaviour, I did not agree with how he did it or that Oracle
is alone.
Oracle is not the only offender, and while I agree that Microsoft has
come a LONG way and takes security a whole lot more seriously than they
used to.. they still seem to not understand the security community and
treat security as a PR problem.
He shows specific cases and vulnerabilities, and is worth a read. Quite
Refreshing and very informative.
http://blogs.securiteam.com/index.php/archives/133
Gadi.
