[17844] in bugtraq
Re: Submission
daemon@ATHENA.MIT.EDU (Rune Kristian Viken)
Wed Nov 29 14:38:00 2000
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-Id: <00112913364600.21891@tesla.kvinesdal.com>
Date: Wed, 29 Nov 2000 13:36:46 +0100
Reply-To: Rune Kristian Viken <arcade@KVINESDAL.COM>
From: Rune Kristian Viken <arcade@KVINESDAL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20001128115223.C15989@securityfocus.com>
Response to:
Vedor Response and Reporting Vulnerabilities.
Written by: HellNbak (hellNbak@hushmail.com)
> At risk of started the age old "Full Disclosure" debate again, I felt
> that I had to write this. It seems lately, that the so called security
> industry has lost its backbone. To quote a director of a popular
> security portal; "The whole thing is just sickening, I am waiting for
> someone to say something about it". Well, here is your someone.
Strange. I started out, reading this, positive and agreeing. The security
industry *has* lost its backbone. Its looking more and more like CERT for
every day that goes by - and it makes me sick.
> B.) There is nothing forcing Georgi or anyone for that matter to follow
> RFPolicy, but the policy is a good idea and is very sound, so why not
> follow it.
What if you disagree with parts of it? Personally I think RFP is far too
cooperative, and far too CERT-alike these days.
> I know a lot of you are probably thinking that this rant is pointed
> directly at Georgi and I guess it is as he is probably the largest
> offender. Georgi, take this message for what it is worth, you are no
> longer doing the security industry a service, you are letting people know
> that AOL/Netscape and their big pockets can take a once respected person
> and obviously very intelligent security professional and use them to do
> their bidding.
Facts:
1. He discovered a flaw.
2. He published a flaw openly.
Arguments:
Publishing flaws in security programs gets them fixed.
Fixing security flaws are positive.
As far as I can see, what he has done, is to get a security flaw fixed.
That is a service. Period. Claiming he is not doing us a favor is
ridiculous. Trying to force -one policy- upon all security folks are
ridiculous. If all flaws are to be handled in One Right Way, I for sure
know a lot of folks that won't care to get things fixed, if they discover
flaws.
--
"Rune Kristian Viken" <arcade@kvinesdal.com>
