[238] in bugtraq
Re: full disclosure
daemon@ATHENA.MIT.EDU (Gene Spafford)
Mon Nov 28 21:00:45 1994
To: bet@std.sbi.com (Bennett Todd)
Cc: mouse@Collatz.McRCIM.McGill.EDU (der Mouse), bugtraq@fc.net
In-Reply-To: Message from bet@std.sbi.com (Bennett Todd) of
"Mon, 28 Nov 1994 13:58:20 -0500"
<9411281858.AA15108@std.sbi.com>
Date: Mon, 28 Nov 1994 18:14:03 -0500
From: spaf@cs.purdue.edu (Gene Spafford)
> >Feh. I'm disappointed to see you spouting this silliness, spaf,
> >especially since if anyone ought to know better, it'd be you.
>
> I thought spaf was on record as being opposed to disclosing exploitation
> info for security holes.
I am generally not in favor of immediately disclosing exploitation
information, especially if it does not include fix information. If I am
presented with some evidence that immediate disclosure is more beneficial to
the community or to critical entities within the community, I will become an
advocate for it.
I am also in favor of publication of details of bugs and exploits either after
they have been fixed, or after they have been known long enough to indicate
that the vendors involved will not produce a fix.
I am certainly not in favor of keeping details secret indefinitely.
> Personally, I agree with you, it's important to get the info out there. But
> I can see why the vendors would be opposed to it: by and large, they don't
> really support their OSes, and so they'd much rather the exploitation info
> stay secret, known only by them and by the hard-core burglers.
This shows a remarkable lack of understanding of how things really work.
Some vendors may feel this way, but the vast majority don't. It is certainly
not in their best interest to have unfixed holes about.
> Happily, there is at least one vendor out there offering _good_ support. I'm
> really looking forward to seeing BSDI's product on Suns.
If BSDI had as many customers as Sun, on as many platforms, and under as many
different configurations and architectures, I daresay you'd be bitching about
their slow response too.
