[9700] in bugtraq
Re: [HERT] Advisory #002 Buffer overflow in lsof
daemon@ATHENA.MIT.EDU (Greg Woods)
Sun Feb 21 19:13:00 1999
Date: Fri, 19 Feb 1999 14:03:35 -0700
Reply-To: Greg Woods <woods@UCAR.EDU>
From: Greg Woods <woods@UCAR.EDU>
X-To: deraadt@CVS.OPENBSD.ORG
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199902190011.RAA26284@cvs.openbsd.org> from "Theo de Raadt" at
Feb 18, 99 05:11:41 pm
> > People who publish bugs/exploits that are not being actively exploited
> > *before* giving the vendor a chance to fix the flaws are clearly
> > grandstanding. They're part of the problem -- not the solution.
>
> The REAL problem is software package maintainers who do not proactively
> audit their software.
These are not mutually exclusive positions, but the former argument
gets more sympathy from me. In any reasonably complex software package,
it is possible to miss a flaw no matter how carefully you audit your code.
The measure of a good software vendor (or author) is not whether their code
is 100% free of flaws (none is), but how they respond when flaws are
discovered. In the case of a security flaw, revealing such a flaw before
a fix is in place, especially if the revelation comes complete with
an exploit script that makes anyone capable of exploiting the flaw with
zero effort, is irresponsible behavior. If someone who finds a flaw
is primarily concerned with minimizing the damage from such a flaw,
then it makes sense to contact the author *first*. and at least give
the author a *chance* to provide a fix. Someone who doesn't do this,
and instead goes public with how much he knows before anyone in a position
to fix the problem is informed, is more concerned with his own glory than
in getting the problem fixed. I.e., he is grandstanding.
--Greg
