Hey Martin ,
I agree with u partly but there are vendors out there
in the market who has Dont know DOnt care attitude. If
thats the case after idetifying and exploiting the
vulnerability in the same vendor product , I
personally would not like to waste my and your time
with vendor who did not give us fav response before.
I would refrain from taking names but I have seen that
happening in the past and still some of those vul are
existing in those products.
However no one can deny Full Disclosure with
responsibility the responsible Disclosure !!!
Regards,
TCP-FIN
--- Martin O'Neal <martin.oneal@corsaire.com> wrote:
my opinion is that full disclosure is not for
vendors ..
it's for users. full disclosure is for us to know
how to
react on certain threads.
Which is just fine if you are technically competent
to understand the
threat, and there is also a valid mitigating
strategy you can employ
immediately. For the vast majority of situations
though, this just
isn't the case. The users are not technically
competent enough to
understand the true threat posed by an entry on a
news group (which are
generally hopelessly incomplete and/or factually
inaccurate) and then
this is coupled with a vulnerable product that may
be essential,
difficult to protect, and a stable official fix that
may be weeks or
months away from delivery.
I personally also believe in full disclosure, but it
has to be delivered
in a responsible fashion. Dispatching
vulnerabilities to a public list
without even attempting to contact the vendor is
clearly not in the best
interest of the vendors nor the great majority of
the user base.
Martin...
----------------------------------------------------------------------
CONFIDENTIALITY: This e-mail and any files
transmitted with it are
confidential and intended solely for the use of the
recipient(s) only.
Any review, retransmission, dissemination or other
use of, or taking
any action in reliance upon this information by
persons or entities
other than the intended recipient(s) is prohibited.
If you have
received this e-mail in error please notify the
sender immediately
and destroy the material whether stored on a
computer or otherwise.
----------------------------------------------------------------------
DISCLAIMER: Any views or opinions presented within
this e-mail are
solely those of the author and do not necessarily
represent those
of Corsaire Limited, unless otherwise specifically
stated.
----------------------------------------------------------------------
Corsaire Limited, 3 Tannery House, Tannery Lane,
Send, Surrey, GU23 7EF
Telephone: +44(0)1483-226000
Email:info@corsaire.com
-------------------------------------------------------------------------
Sponsored by: Watchfire
Securing a web application goes far beyond testing
the application using
manual processes, or by using automated systems and
tools. Watchfire's
"Web Application Security: Automated Scanning or
Manual Penetration
Testing?" whitepaper examines a few vulnerability
detection methods -
specifically comparing and contrasting manual
penetration testing with
automated scanning tools. Download it today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
