[268] in bugtraq
Re: In reply to comments about new policy
daemon@ATHENA.MIT.EDU (Pat Myrto)
Wed Nov 30 15:52:55 1994
From: rwing!pat@ole.cdac.com (Pat Myrto)
To: bugtraq@fc.net
Date: Tue, 29 Nov 94 22:57:58 PST
In-Reply-To: <94Nov29.131535edt.286@marvin.cdf.toronto.edu>; from "John DiMarco" at Nov 29, 94 1:15 pm
"In the previous message, John DiMarco said..."
>
> [ ... ]
>
> Surely there is a third way: time-lapsed full disclosure. When a problem is
> discovered, don't announce it until there's a patch, then announce the problem
> and the patch together, without exploitation information.
BINGO!!!! That is what I (and many others) have been advocating all
along. A stepwise approach: Vendor first, then partial disclosure
(including note that full disclosure is coming in about a week or so -
depending on the individual problem at hand), and finally the full
disclosure, with at least an attempt at a fix included if humanly
possible.
If the hole was discovered via a crackers breakin, that shortens the time
frame a lot, as the cats pretty much out of the bag.
In no case should the delay be so long that the affected OS is dead and
stinking, though...
> After a suitable time (weeks?) has passed, the rest of the information can be
> announced. But don't post scripts to exploit the bug; it gives root to too
> many newbies.
I'll go along with that. But sufficient info for an admin to figure
things out enough to TEST for the bug. It will help the admins, but I
think a canned gimmie-root script all ready to run is a bit much.
But I will take the canned scripts in preference to the CERT-like approach.
[ ... ]
--
pat@rwing [If all fails, try: rwing!pat@eskimo.com] Pat Myrto - Seattle WA
"No one has the right to destroy another person's belief by demanding
empirical evidence." -- Ann Landers, nationally syndicated advice columnist
and Director at Handgun Control Inc.
