[Dshield] Security Firm May Stay Mum on Vulnerabilities in theFuture

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Tue Aug 9 04:13:59 GMT 2005


On Mon, 08 Aug 2005 23:24:08 EDT, "Roger A. Grimes" said:
> I don't want to start a flame war, but I'm in the small camp that
> doesn't necessarily see the big benefit of public disclosure. I found
> dozens of serious bugs over the years and reported them to vendors who
> usually fixed them. Some fixed them right away, some took awhile, and a
> few have never been closed. 

And how many would have been closed if the vendor didn't have at least the
threat of "fix it or I go public with your idiocy" hanging over them?  Or
even "if you patch it soon, maybe it won't be re-discovered by somebody
who *will* go public"?

Remember that not every exposure *has* to be fully disclosed - merely the
threat of bad PR from enough exposures to keep the vendor focused on fixing
stuff.

> All I see is public disclosure after public disclosure, followed by POC
> and new worms in days.  I've yet to find evidence of a non-disclosed
> zero-day exploit used to compromise my computers, but I've got 18 years
> of history of malware that was successful against client machines after
> the public disclosure was made.

So you'd rather have a world where the black hats have exploits, and we
don't have any clue what's whacking the machines?  Also - be honest with
yourself.  Are you *qualified* to be able to be sure if a 0-day got used
on your systems?  What would you use as a fingerprint to know it happened?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20050809/33f2b820/attachment.bin


More information about the list mailing list