[Dshield] Re: [Larholm/PivX] Proxy attackers/hijackers

John Holmblad jholmblad at aol.com
Tue Oct 21 04:10:52 GMT 2003


I fully agree with your view on vulnerability disclosure. The supplier 
of any product has to make their own judgment of the benefits and costs 
their firm of the timing of disclosure which may or may not be in the 
best interests of customers, as odd as that may sound. Timing of the 
disclosure of auto safety defects bears witness to this dilemma for the 
auto industry, for example. I have for a long time bought into the 
homily (often stated by though probably not originated by Bruce 
Schneier)   that "security through obscurity" is not a good plan. I do 
believe time should be provided for the supplier to verify the 
vulnerability, just in case the discovering party has a "false 
positive". My sense, although I don't follow it closely, is that most 
industry participants are following that method (i.e. notifying the 
supplier first).

Best Regards,


John Holmblad


Televerage International


(H) 703 620 0672

(M) 703 407 2278

(F) 703 620 5388


www page:                      www.vtext.com/users/jholmblad

primary email address: jholmblad at aol.com

backup email address:  jholmblad at verizon.net


text email address:         jholmblad at vtext.com

More information about the list mailing list