[9713] in bugtraq
full disclosure and vendor education
daemon@ATHENA.MIT.EDU (Antonomasia)
Sun Feb 21 23:27:31 1999
Date: Sat, 20 Feb 1999 23:03:57 GMT
Reply-To: Antonomasia <ant@NOTATLA.DEMON.CO.UK>
From: Antonomasia <ant@NOTATLA.DEMON.CO.UK>
To: BUGTRAQ@NETSPACE.ORG
We are not going to get anywhere in software security until suppliers
(I nearly said vendors) become more aware of the problems their code
often has.
There is a wide range of knowledge and ability among software suppliers.
The upper end has its problems; the lower end is a menace.
Many list readers work hard at eliminating security bugs from their sites
and do not look kindly on the flow of new and avoidable incoming bugs.
When you raise likely bug reports with a suppliers they can go something
like this:
Us> We just got "foo v10" from you. We noticed a remotely-accesible
Us> buffer overrun reaching the stack pointer in a root-run program.
Us> This is a security problem we'd like you to fix.
Them> Thank you for your interest. We are not aware of any security
Them> issues with our industry-leading product.
With a full-disclosure archived list you have an educational resource to
lead these guys to, even if you can't make them think.
Spaf's point on making a dangerous bug known first to the public rather than
the supplier is of course a valid one.
--
##############################################################
# Antonomasia ant@notatla.demon.co.uk #
# See http://www.notatla.demon.co.uk/ #
##############################################################
