[22199] in bugtraq
RE: Can we afford full disclosure of security holes?
daemon@ATHENA.MIT.EDU (Richard M. Smith)
Fri Aug 10 20:37:52 2001
From: rms@privacyfoundation.org (Richard M. Smith)
To: <aleph1@securityfocus.com>
Cc: <bugtraq@securityfocus.com>
Date: Fri, 10 Aug 2001 15:32:53 -0400
Message-ID: <003101c121d3$429d36a0$0f01a8c0@tiac.net>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <20010810132423.H15017@securityfocus.com>
I've probably found a dozen or so security holes in Microsoft products.
Many of these problems were reported on BugTraq list without full
disclosure. How come so few people have ever approached me for the full
details? I guess I don't see the same level of demand for
full-disclosure as you do.
However one thing is now crystal clear with Code Red: full-disclosure
comes with one of hell of a price tag. There has to be a better way.
Richard
-----Original Message-----
From: aleph1@securityfocus.com [mailto:aleph1@securityfocus.com]
Sent: Friday, August 10, 2001 3:24 PM
To: Richard M. Smith
Cc: bugtraq@securityfocus.com
Subject: Re: Can we afford full disclosure of security holes?
* Richard M. Smith (rms@privacyfoundation.org) [010810 19:19]:
> For this particular IIS bug, it is all very simple. If you run IIS,
> download the Microsoft patch!
>
> Buffer overflows are a dime a dozen. Who really cares about the
> details of this particular problem other than Microsoft?
Who cares? System administrators, security vendors, researchers, etc.
Did you not read my message? All these people need the information.
> Richard
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
