On Sun, Sep 6, 2015 at 3:51 PM, Georgi Guninski <[email protected]> wrote: > On Sat, Sep 05, 2015 at 03:48:48PM +0000, Alfonso De Gregorio wrote: >> >> .... I ask vulnerability sellers: How >> effective your favorite exploit acquisition platform / program is at >> preventing this from happening again? >> > > You mean something like the the dear nsa: > http://www.theregister.co.uk/2015/09/04/nsa_explains_handling_zerodays/ > > Mind-blowing secrets of NSA's security exploit stockpile revealed at > last > Incredible document has to be seen to be believed
It made me reconsider the true meaning of [XXXXXXXXXXX] to read about [XXXXXXXXXXX] and, especially, [XXXXXXXXXXX]. More seriously: After years of fierce debate, vulnerability disclosure is still looking for a convincing answer. The NSA may contribute its substantial share to discussion --- albeit less to the practice --- of vulnerability disclosure. Needless to say, it would have been more helpful to read a less heavily redacted 'Vulnerabilities Equities Policy and Process' to this end. On September 29, NTIA will convene a meeting on this topic. For those considering to attend it http://www.ntia.doc.gov/september-29-multistakeholder-meeting-vulnerability-disclosure-pre-registration Will we never stop from drinking from the (endless?) stream of exploitable vulnerabilities? -- Alfonso
