Full Disclosure is a good thing and anyone involved in the security
community should be thankful for its existence! If people actually believe
that the 0-days posted to this list are all 100% unique.... all i can say is
wow, you're disconnected.
Ditto.
Case study:
At least twice in the last year, myself and coworkers have found
vulnerabilities in widely-deployed software while performing pentests,
only to find someone else posted the exact same flaws before we had a
chance to. No, we didn't leak these holes, they were found
independently prior to us finding them. I imagine this happens a lot.
Notifying a vendor prior to public disclosure probably helps the public
more than it hurts, at least initially. But if one waits too long on
the vendor, someone else *will* find the hole and may decide to use it
for various nasties. Knowing what that break-even point is in delaying
disclosure involves knowing many variables that can only be estimated.
Therefore the amount you "should" wait on a vendor to disclose is very
subjective even if we all agree we should be defending the public (which
on this list, is not the case). So, why don't we stop arguing about it
and just deal with the information the best we can?
tim
PS- For those of you complaining about MZ, how long will you sit in
Microsoft's frying pan[1]? Why not get out so you don't have to
worry about it?
1. http://www.clichesite.com/content.asp?which=tip+2858
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
