> There are two sides to this issue. 1. Releasing bug/vulnerability
> information to the public will release hoards of script
> kiddies to cause havoc and dismay instantaniously without
> recourse. 2. Releasing bug/vulnerability information will cause
> industry leaders like Microsoft and respectively Allaire to
> act on the information sooner than later.
>
> I can see both sides of the fence but would lean to alerting
> the public to the problem. Security by obscurity is not a good
> policy to live by.
While I agree with this as far as product vendors are concerned, that's not
what's going on here. It's one thing to release general information about
vulnerabilities in MS products to the public (although even within the
security community, there's quite a bit of debate over whether and how this
should be done - should the vendor be notified privately first, how long
between vendor notification and public release, etc.). It's another thing to
release specific information about who hasn't patched their installations of
vendor products, which is what's going on here - "so-and-so is vulnerable to
the .htr bug". This doesn't have any place within either side of the issue
that you're talking about, and is pretty irresponsible in my opinion.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
