[306] in bugtraq
Re: Full Disclosure works, here's proof:
daemon@ATHENA.MIT.EDU (Christopher Klaus)
Fri Dec 2 16:25:04 1994
From: Christopher Klaus <cklaus@shadow.net>
To: casper@fwi.uva.nl (Casper Dik)
Date: Fri, 2 Dec 94 12:07:44 EST
Cc: cklaus@shadow.net, bugtraq@fc.net
In-Reply-To: <199412021409.AA29942@mail.fwi.uva.nl>; from "Casper Dik" at Dec 2, 94 3:09 pm
> >Anyways, it has been less than a week and here's SCO patches. If 8LGM
> >had only reported the bugs to CERT and SCO, who knows how long would we
> >have seen the patches?
>
> So, tell me, where did the full disclosure take place?
I was using full disclosure in the sense that the problem is reported to
the world rather than just a select few of organizations. IMO, I don't
think you need a no-brainer exploit script with a bug report before it is
fully disclosed. Probably a enough info would be nice to check if this
bug is vulnerable on other OSes since I doubt 8lgm has every machine and
OS to test the vulnerabilities they find for a single machine.
> We have seen no such fixes with the first batch of immediate full-disclosure
> 8lgm reports.
Well, that probably reflects the company that supports the OS. If 1 company
can get patches out a week after the problems were disclosed world wide
but without exploit scripts, and another company still hasn't officially
patched security problems that were reported world wide with exploit
scripts, then there seems to be something wrong here. And it isn't probably
reflecting which method of disclosure works better. That is, with or
without exploit scripts, that appears it doesn't make a difference on how a
company handles security reports.
--
Christopher William Klaus <cklaus@shadow.net> <iss@shadow.net>
Internet Security Systems, Inc. Computer Security Consulting
2209 Summit Place Drive, Penetration Analysis of Networks
Atlanta,GA 30350-2430. (404)518-0099. Fax: (404)518-0030
