On Wed, 26 Apr 2006, Tim Bilbro wrote:
You do a disservice to all IT shops by announcing these vulnerabilities
before contacting the vendor.
How were you impacted? What were your damages? The only loss that could
possibly occur to you or your company was the time you wasted to write
this rant, and the subsequent damage to your reputation if you turn this
into a fully-fledged and entirely counterproductive flamewar.
In case you didn't notice, I *do* work with vendors; not because I believe
that a particular disclosure policy is morally superior, but because I
chose to. Microsoft is a rare exception to this rule, for a couple of
reasons.
Why, you ask? It is my unsubstantiated opinion that they consistently,
unreasonably delay disclosure of problems; that they don't participate in
the vulnerability research community in any way, while trying to impose
artbitrary standards and punish certain researchers (often employing
borderline extortion practices); and that they routinely communicate false
pretenses when dealing with the media regarding known security issues.
I can't make a difference, but I'm one of the few folks who can still
afford this small degree of civil disobedience.
I am sure it would not generate as much web traffic to your site
Oh, tragic. Generating traffic to my ad-free webpage is precisely why I
spend hours researching problems. Now you see why I couldn't handle it any
other way.
Would you go around town checking which stores are unlocked at night and
then publish the list in the news before letting the shop owners know?
I see that you took the "bad analogy 101" course in the logical fallacy
class?
/mz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
